Let me explain.
The other day, as I was going through @petter 's excellent work in the Bubble manual, I noticed the following:
This made me wonder if using âCurrent userâs Roleâ was secure, so I actually messaged Petter to ask, and his answer was that the check would be performed server-side. But this user has demonstrated that this is not the case, with one very specific caveat. He says:
This implies that, at the very least, if youâre not logged in/authenticated, then the server will just âtrustâ the client-side cookie version of Current User instead of retrieving it from the server. Note that even guest users technically have a temporary âCurrent user,â created in the DB, so it should still be possible to check against the database, but this doesnât happen. If this only applies to logged out users, then the condition âCurrent user is logged in AND Current Userâs Role is Adminâ should be fine. That is, âif.â
More worryingly, however, it may be the case that Current User is always retrieved from the client, even when you are logged in. This would represent a massive data security problem for Bubble apps, the majority of which use âCurrentâs Userâs Role is Xâ to authenticate their workflows.
In light of this, without being too alarmist, I think it would be prudent for @petter and @fede.bubble to escalate this directly to the engineering team, and get the following answers to these questions immediately:
Is âCurrent userâs Xâ evaluated using the client or the server when:
- Current user is logged in and the condition is placed on a normal clientside workflow
- Current user is logged out and the condition is placed on a normal clientside workflow
- Current user is logged in and the condition is placed on a backend workflow
- Current user is logged out and the condition is placed on a backend workflow
My assumption is that Current Userâs Role is always a safe condition on a backend workflow because the whole thing is server-side, it wouldnât make sense to pass it from the client as a variable. So I am not as worried about #3 and #4, but we should get a final answer regardless from the engineering team. This is important enough that it needs to be escalated directly, last time I reported a security bug using security@bubble.io, one of the techs kept asking me for my app id (???) and basically ignored it despite me describing it fully, the second tech actually escalated it and it was fixed in a week. This canât wait.