While building my first app I noticed that if I want to redirect users away from pages because they are not logged in, Bubble first loads the page in the browser and only then the redirect happens.
So if non registered users have the direct URL to pages they are not supposed to see (lets call them “private” pages), they can simply go there and stop the browser before the redirect.
I read a little and I found 2 tricks that Bubblers suggested:
1. Hide the content on these “private” pages with an element and then un-hide it if the user is logged in.
In this case the content is still loaded in the browser, so using the browser dev tools, users still have access to the page.
2. In those “private” pages, each sensitive information, can be loaded with a condition. So even if the user get to the page, the stuff that they shouldn’t see will not be there.
In the case, I’m not sure if the content will be loaded in the browser or if the server holds it until the rule is met (which is more secure). But it requires a lot of work going through all the details on all the pages and creating conditions.
Both of these options feels too complicated and not very friendly, for a fairly basic functionality.
With regards to your point#2, you could define privacy rules based on user roles and the fields they would have access to . This way Bubble would not load them into browser if the rule is not met and is also easier to configure and maintain.
However, In my specific case, this might not be what I need, because I’m looking to restrict users from seeing some pages (most pages) if they are not logged in AND filled in some further details on a “more info” page that I show after registration.
So if the user is not logged in, I will redirect to the login page.
So the user is logged in but didn’t complete second step registration page, I want to redirect to that page.
And in both cases, these users shouldn’t have access to most of the data.
Any idea how to approach it with the above scenario?