Redirect underprivileged users to another page to avoid them to see a fully loaded page is a basic security measure in a Bubble app.
Airdev guide on best practices encourages using a Go to page action into a single-action workflow triggered by a When page is loaded event.
Events of the type When page is loaded are triggered when the page is finished rendering, i.e. after downloading Current User thing + Current Page thing + HTML + JS files, Bubble renders the page.
Events of the type Do when condition is true are triggered when the info to evaluate the condition is available. If we are using a Current User property to evaluate the condition, it will be available before the page is done rendering.
My question: if we use the userâs role (stored as a Current Userâs property) to determine whether or not the user must be redirected, wouldnât be better to use a Do when condition is true to redirect the user?
This is a client-side operation, whereas when page is loaded is sometimes possible to execute server-side with simple conditions. So, âwhen page is loadedâ is moderately misleading.
I guess an attacker can modify a Current Userâs field to satisfy the condition of a Do when condition is true event, since the condition is evaluated client-side, and the Current User thing is already in the client and can be modified.
Thatâs the reasoning behind your answer, isnât it?
Iâd imagine that you want to prevent an underprivileged user from accessing information they shouldnât have access to.
Wouldnât it make sense to simply apply conditional visibility on the information on the page that is only rendered visible if the user meets the condition in question. This could potentially slightly negatively affect the page load speed. Then potentially as an additional layer of security assign some kind of token or arbitrary combination of numbers and letters that renders the information on the page if the Current User has a valid unique_identifier that validates their âpriviledgedâ status.
Then whether you use the Go to page action or the Do when condition true action is irelevant because although the underpriviledged user may get a fully rendered page (before the redirect) they wonât have access to information on the page if it isnât visible on page load
Just shooting in the dark here, but maybe that could help
Then, I undertand that using a Current Userâs attribute for a conditional can be hacked, because the evaluation happens client-side.
But what if I am using a server-side checked conditional (in a Do when condition is true event) for redirecting the user? e.g. I use a Search for expression, without advanced filtering, in the conditional.
Could the redirection be hacked by altering browser-stored data? Why is it not recommeded over using a When page is loaded event?
Because, unintuitively, Bubble can check the when page is loaded condition server-side, before the page is sent to your browser, when the condition is simple.
Then, I find the description that @petter provides in his book âThe Ultimate Guide to Bubble Performanceâ about the order of execution of different front-end events, as page loads, a bit misleading.
In p. 57-58 he describes the sequence of page loading:
Server looks up for the Current User and the Current Page Thing information, generates the HTML and sends it altogether to the browser
As the HTML refers to JS files, these are also downloaded by the browser
The page renders in the browser
In p.62 he states that the When Page is loaded events trigger as soon as the page is done rendering, i.e. after step 3
According to @georgecollier answers it seems that a particular case of When Page is loaded events, with a single Go to page action, and a server-side checked conditional, do execute prior to step 3, so that nothing is sent to the browser, but a 302 redirect.
Thanks for pointing this out. Youâre right that the sequence of page loading is only relevant if the page load process actually starts,
Iâll need to read through the full passage to see how I can clarify this point, but Iâve taken note of your feedback and will take it into account for the next revision.
