Let me explain.
The other day, as I was going through @petter 's excellent work in the Bubble manual, I noticed the following:
This made me wonder if using “Current user’s Role” was secure, so I actually messaged Petter to ask, and his answer was that the check would be performed server-side. But this user has demonstrated that this is not the case, with one very specific caveat. He says:
This implies that, at the very least, if you’re not logged in/authenticated, then the server will just “trust” the client-side cookie version of Current User instead of retrieving it from the server. Note that even guest users technically have a temporary “Current user,” created in the DB, so it should still be possible to check against the database, but this doesn’t happen. If this only applies to logged out users, then the condition “Current user is logged in AND Current User’s Role is Admin” should be fine. That is, “if.”
More worryingly, however, it may be the case that Current User is always retrieved from the client, even when you are logged in. This would represent a massive data security problem for Bubble apps, the majority of which use “Current’s User’s Role is X” to authenticate their workflows.
In light of this, without being too alarmist, I think it would be prudent for @petter and @fede.bubble to escalate this directly to the engineering team, and get the following answers to these questions immediately:
Is “Current user’s X” evaluated using the client or the server when:
- Current user is logged in and the condition is placed on a normal clientside workflow
- Current user is logged out and the condition is placed on a normal clientside workflow
- Current user is logged in and the condition is placed on a backend workflow
- Current user is logged out and the condition is placed on a backend workflow
My assumption is that Current User’s Role is always a safe condition on a backend workflow because the whole thing is server-side, it wouldn’t make sense to pass it from the client as a variable. So I am not as worried about #3 and #4, but we should get a final answer regardless from the engineering team. This is important enough that it needs to be escalated directly, last time I reported a security bug using security@bubble.io, one of the techs kept asking me for my app id (???) and basically ignored it despite me describing it fully, the second tech actually escalated it and it was fixed in a week. This can’t wait.