[security issue?] Hide fields data from web source code

Hello,
in my webpage code source i found this line:

script type=“text/javascript”>Lib().db_instance().initialize_data(“1545423712906x256654538582869340”, {"_id":“1545423712906x256654538582869340”,“Created By”:“1348695171700984260__LOOKUP__1545423712906x256654538582869340”,“Created Date”:1545423712911,“Modified Date”:1546544707555,“picture_image”:"// s3.amazonaws .com/appforest_uf/f1531655937627x214220280759036600/009-ninja.png",“user_signed_up”:true,“authentication”:{“email”:{“email”:“admin@email.com”}},“verifry_boolean”:false,“score_number”:625,“actual_ch_number”:0,“d_naissance_date”:1009839600000,“nom_text”:“admin_name”,“pr_nom_text”:“admin_prename”,“ch1_validation_boolean”:false,“ch1en_att_boolean”:false,“ch2en_att_boolean”:false,“rep_en_att_boolean”:false,“phone_number”:“0555”,“activation_code_text”:“7915597”,“verified_phone_boolean”:false,“num_suggest1_succes_boolean”:false,“storystep_number”:0,"_type":“user”,"_version":9264}, “user”, 9264);

as you can see all the data of the user appear here, the phone number, activation code, some boolean that are meant to be modified by the Admin,
is it me or it’s a security issue that need to be fixed ?
is there a way to hide it?

I hope you understand me (sorry for my english)

I’m not sure if this is the normal behavior. Please share a screen capture of the User privacy roles (Editor -> Data page -> Privacy tab -> User -> Data roles for type User) so we can better help. If you are allowing unlimited data access to your admin users and you are logged in as the admin@email.com account then this seems like it would be normal to see in your page source. Bubble runs on JavaScript which requires this code to be visible client-side.

I think the issue is with “this user is the current user”
when I removed it and logged in withoud admin privileg, I did not saw this line

thank you a lot @philip

@philip , can you please tell me what is the benefit of the “this user is current user”?
is it required for user to “get access” to his data ?

Now the user does not have access to his data

The best way for me to quickly describe how these roles work is to share an example:

In this app, people can be active (good standing) or inactive (bad standing, have been banned by an admin). I’m clarifying this twice with “Current User is This User” to cover both scenarios.

Admins have more privileges, namely the ability to view all fields and auto-bind certain fields. This is similar to your admin privacy role except I’m also checking to see if the person is logged in and active.

People’s accounts that do not belong to the current user are protected by specifying “Current User is not This User” and restricting access, in my case this is 1 of 2 roles like this which is meant for people who decide they want to keep their profile private.

Similar to the previous example, here we have slightly different visibility on the fields for people who choose to have a public profile while still keeping “Current User is not This User”.

TLDR; It’s important to cover all potential scenarios for Data Types. In my case that means: users who are active and this account belongs to them, users who are inactive and this account belongs to them, users who are admins and this account is both active and belongs to them, private users who are not the current account owner, and public users who are not the current account owner.

3 Likes

Ok I see it now,
I can choose
what field can be (viewed and edited) by the “current user”
and
what filed can ony be (viewed and edited) by the administrator

thank you very much philip ^^

(only screenshots appeared the first time i viewed your reply)

so again, thank you, you explain it very very well