Hi All,
I want to restrict certain actions based on permissions.
Setting a condition on a button (not visible / not clickable) depending on the User role is easy, however is this secure (i.e. can someone in the browser inspector easily bypass this). If this is the case, setting a limitation on the workflow (e.g. first step Terminate this workflow if – same condition) would be a secondary boundary. Same question. Is this secure (i.e. users cannot bypass this in the browser)?
Thanks!!
No, it’s not secure.
Yes, this is secure. Often easier to understand if you put it on the workflow event itself though. It must use server side data e.g Current User’s Role or Do a search for X rather than 'group - is user admin?‘s yes/no is yes’ which is client side and can be manipulated.
This diagram might be useful for understanding how Bubble evaluates data used in workflows.
In it, Current User's email is server-side data, but var Account's Account's unique ID and Input's value are client side so should be treated as untrusted. A user could manipulate the account ID to be a different account and then edit the name of it.
But, the email will always go to the Current User’s email, because that is not something passed to the workflow from the client.
Thanks!!
Made me think, if I have RLS via privacy rules that prevents Read only, but there is no Delete restriction. Does this mean that - given the right trigger events, someone is able to delete rows in the database?
Say I have a list with Projects and every Project is connected to a User. Privacy rules say only Project created by User is visible etc.
Example: If in the front-end I make an implementation error by not putting the constraint on the list with Projects that I have, where I allow a user to delete its project (i.e. Projects’user is current user is not set as a constraint). As a consequence all the other User’s projects also show up in the list - but as empty records as the privacy rules limit the transfer of data.
If I select such empty record and delete it, does it mean that the record actually get’s deleted, or is this protected via privacy rules as well (e.g. the UID is not visible hence the delete process will not revert to a database record)?
Things can only be deleted (assuming data API is disabled) from a workflow action.
So, you need to secure the workflow action.
Ordinarily, privacy rules protect the case where user tries to delete something that’s not theirs. But, for many apps, you can see things that you’re not allowed to modify.
e.g for a marketplace, I can see listings.
That doesn’t mean I should be able to inject any listing ID into the Delete listing button. To fix that, on our workflow, we check parent group's listing's user is Current User or whatever your exact data source is to make sure it’s a listing I have permission to modify.
This is along the right lines but not quite. If the privacy rule doesn’t permit access in searches, the Project will never be in the repeating group. It won’t appear as an empty result, there just won’t be any results.
I haven’t checked in a while but Bubble is pretty good about restricting actions based on privacy rules.
I didn’t check for a repeating group but I do see empty entries in a dropdown when privacy rules shield the data.
