Role based permissioning

Role-based permissioning is a common need in web-based data applications of a kind Bubble is well suited for.

For example if I am designing an app I may need “editors” who can edit everything, “contributors” who can create and edit their own stuff, and “reviewers”. There may also be an “anonymous” role which describes users who have not logged in.

Bubble has something like this concept of roles at the back-end but not at the front end. At the back end it is rather complex to define.

I would like to see a system where users can be assigned to one or more roles, and pages can be assigned to one or more roles, and have the Role as a built-in extensible data object (as User already is).

Yes I can roll (pun intended) my own in Bubble but doing so requires quite a lot of work, particularly if I want to centralise the role check. The same system could also take care of quickly distinguishing between pages I want to require login to.

For an example of this done well and simply by a competitor, see Knack: http://helpdesk.knackhq.com/support/solutions/articles/5000443911-user-object-and-roles

3 Likes

What do you mean on the backend vs the front end?
This is pretty easy to implement using custom fields on User data fields. Using a Do When condition on the pages will check to see if the user is a certain role.

2 Likes

Front end is what the user view. Back end is what an admin view.
The Bubble Editor is an example of “low level” back end, since it allows you to build both front and backend of your app.

3 Likes

Just to clarify - are you saying you would like access-permissions to be able to be modified/created without using the Bubble editor, but also without having to create an “if statement” for every single event related to access-permissions?

If so - I too could find this handy as it would cut down a lot of repetitive work.

@cakeheke - yes.

@peng.o - yes, but you have to write a lot of very repetitive workflow “If user is in x role then do following range of stuff”. In the common scenario that you want to limit access to pages by role it is unnecessarily tedious to set this up. Check out the Knack version of this if you want to see how easy it can be.

1 Like

I agree with you.
It will be cool to have a standard feature for managing roles and permissions.

2 Likes

I agree it would be nice to have some standard roles and permissions built into bubble or option to ‘enable’ a pre-configured Roles set that ties in with the current ‘user’ table, so that new people can get started with app building right away knowing that the roles and permissions are configured based on some standards.

The way I see it, Bubble is saying do what you want.
And newbies not implementing proper security and permissions are going to come back and try to blame Bubble for some breach on Bubble, because they don’t understand database design concepts.

@emmanuel You guys solved coding and hosting issue with Visual building, BUT you have introduced the need to learn Database Design and most people won’t even realize that’s something they need to pay very close attention to, in order to build apps they can sell.

4 Likes

We can certainly do better to teach people that, though you have quite some resources available online. We’ll keep improving this as much as we can.

It’s not really that we have introduced a new need to learn, it’s more that we’ve enabled people that wouldn’t think about these issues to get to a point where they need to think about it :slight_smile:

5 Likes

Could this be a way allowing Users to have many roles, each role give access to many pages all handled in a header doing the redirecting:

Role.PageNames is a text field with all pages this role is allowed to view. If theres a * in PageNames all pages are allowed (typically for the admin).

Redirecting to index page using page load event is not clean solutions as user can press escape button before redirect but after secure page is loaded, then secure page is simply visible to unauthorized users.

Actually, there is a need of event which gets executed way before page loaded, in order to achieve this.

Bubble team, please suggest me if you already have something to prevent this scenario.

1 Like

Hi, there is an easy workaround for this, just put everything in a container and hide the container by default. Only show it after Page Load if your permission criteria are met.

It would still be better to have something more baked in though as I wonder how many people are not using such a workaround and therefore have a security hold.

Thanks for showing work around. I am hard-core programmer and just started using bubble. I understand what you are trying to say, and thought to do this before posting this question, but it’s extra overhead to manage main container on every secure page. I am still requesting bubble team to create event which gets executed before Page Load (May be Pre-PageLoad), which solves this issue nicely.

1 Like

While the workaround will do the trick, I support your request @anilthakkar11. Especially since it’s also easy to simply forget a condition or otherwise make things available by mistake that shouldn’t be.

I know this thread is a little old, but it was the first thread in my search in the forum to find out how people manage roles / permissions within Bubble.

I am a new user, and not a programmer by trade. I am very good with Excel, and know a decent amount of VBA to do app prototyping in Excel using VBA in the backend to mimic a database-driven app. Within my company, I probably meet the definition of citizen developer, and a good candidate for the type of “non-professional programmer” customer Bubble is looking to entice.

With that said, one of the database concepts I know the least about is how to properly manage roles and permissions within an app to control the user experience and prevent unwanted security breaches.

If the Bubble team can add some lessons that can cover some basic concepts / examples of how one would create and implement various roles and permissions, that’d be VERY helpful.

2 Likes