Roles and securety

Hello, i have set up roles “Admin, User, Guest” and i have a page called “dashboard” that is for admins to view stats etc. I have made a workflow that says if user is not admin send them to index page however when in incognito mode i still see the page for a split second with all the info etc and must be easy for someone with more knowledge to bypass.

My question is, how do you secure these pages? :innocent:

The first thing is obviously to secure the data with privacy rules. Any request to data without the right privilege should return empty. If a random user, not admin, can see the data on the page you need to set privacy rules.

After that if you don’t have “on load” workflows that need data from the client your redirect (still “on load”) should trigger a server redirect. If it’s not happening check your workflows.

1 Like

I dont really understand this part “After that if you don’t have “on load” workflows that need data from the client your redirect (still “on load”) should trigger a server redirect. If it’s not happening check your workflows.”

for example you have a page admin_dashboard:
if you have a workflow that get data from url when page loads then bubble will serve de page.
if you only have a workflow with a condition only when current user role is not admin and a single action go to page normal_dashboard then bubble should redirect directly to normal_dashboard from the server and admin_dashboard is not even served to the user.

Of course you still need to set privacy rules, that’s the most important thing.

Also, make everything on the page ‘not visible’ by default (just in case), and only make it visible to the correct Users.

As an extra security layer, add the same condition to all the workflows on the page.

2 Likes

Is that possible to do to the whole page or do i have to do it for each group?

Here is my workflow:
Screenshot 2023-02-08 at 16.39.59

I believe i have the settings you described but Bubble still loads the Admin dashboards and then re-direct to index?

Assuming everything on the page is grouped inside a main container, just do it for that - if not then you need to do it for every top-leve container.

You have exactly the settings that prevent a server redirect.

If you have any workflow on page load that uses client side data (eg. page url) bubble can’t do a server redirect.

This should be the only workflow on page load (it needs to be on page load, not do when condition is true)

Oh okey… i followed this tutorial How to build a simple dashboard in Bubble: Dashboard tutorial 1/3 - YouTube to make the dashboard and that uses the page load function… How can i do that in a efficient way?

Set privacy rules, and as Adam said add conditions to the workflows and make the elements hidden by default and visible only to the right user.

1 Like