There should be a simple checkbox that is on the Collaborator section in the settings of the app that will allow us to restrict the Duplicate App feature only to those who are the Paying Contributor of the app (ie: owner) and perhaps additional ones for allowing any Admin to copy.
From my experience, anybody who is a Contributor of an app has the app in their account and can duplicate it…that seems like a major security concern for app owners who hire a freelancer for small tasks as the freelancer can just duplicate the entire app in seconds once added as a collaborator.
Please upvote HERE
3 Likes
They could do it anyway by exporting the JSON, or accessing the JSON in the editor from the browser console
Bubble doesn’t have proper scoped permissions (e.g to a page, reusable, etc) yet and it doesn’t seem like it’ll be coming any time soon.
When restricting the duplicate feature, they should also restrict access to app file download.
So anybody can just clone our app?
Yeah, if they have editor access then they can access the entire app JSON. It’s just built into the editor.
The point of idea is to restrict access to features that make duplicating an app easier. This is a security concern. So I’m not suggesting they rebuild the platform. Simple logical thoughts of how to implement can lead to a solid implementation that reduces or perhaps eliminates the ease of duplicating an entire app.
Yeah, I’d like it too, I’m just saying it’s not happening any time soon because the whole editor is built around the whole JSON being accessible.
Oh, I just have a slightly different perspective on how to easily implement the restriction. Simply hide the export app button in editor when user is not paying admin and hide duplicate app button too. If it was an app of mine it would just be a couple of conditions to hide a button.
I’m not talking about rebuilding bubble.
I’m saying that won’t restrict a technical user from exporting the JSON with one console command.
All of the editor relies on being able to access any path in a version’s app JSON, hence that console command will work even when the button is disabled.
enable_loading_root = true
appquery.app().json.raw()
1 Like
