Hello, i have set up roles “Admin, User, Guest” and i have a page called “dashboard” that is for admins to view stats etc. I have made a workflow that says if user is not admin send them to index page however when in incognito mode i still see the page for a split second with all the info etc and must be easy for someone with more knowledge to bypass.
The first thing is obviously to secure the data with privacy rules. Any request to data without the right privilege should return empty. If a random user, not admin, can see the data on the page you need to set privacy rules.
After that if you don’t have “on load” workflows that need data from the client your redirect (still “on load”) should trigger a server redirect. If it’s not happening check your workflows.
I dont really understand this part “After that if you don’t have “on load” workflows that need data from the client your redirect (still “on load”) should trigger a server redirect. If it’s not happening check your workflows.”
for example you have a page admin_dashboard:
if you have a workflow that get data from url when page loads then bubble will serve de page.
if you only have a workflow with a condition only when current user role is not admin and a single action go to page normal_dashboard then bubble should redirect directly to normal_dashboard from the server and admin_dashboard is not even served to the user.