Hello,
I have setup privacy rules accordingly.
The user is able to see the private file.
But when this user wants to send this same file through the API connector to docusign I get an error.
When I remove the privacy rules, the file is sent correctly and I do not have any error.
Is this a bubble bug ?
Seems like expected behavior to me. If the file is private to that user, then only they can see/access it. Docusign can’t. It’s no different than if the user sent a link to the file to someone else. The recipient of the link wouldn’t be able to access the file because it’s private.
Just for information, you can share a link of a private file.
This is a “normal behaviour” for bubble.
I do not have the same opinion.
If you open a private (incognito) window and visit the private file URL, you’ll see what I mean. That’s what Docusign sees when it’s passed the URL to the private file.
Have you try it ?
Because if a user that has access to a private file copies the link and past it in a private browser session it will open the file.
This one of the bubble huge limit from my point of view.
There are few threads on the forum talking about that.
Yes, I’ve tried it in Chrome, Firefox, and Safari. The file cannot be accessed because it’s private.
So please explain me how you have achieved this, because this is not working for me at all, even with the privacy rule set up and the file attached to the right thing.
I’m a bit confused. Your original post suggests that it is working because Docusign can’t access a private file. To me, that’s expected behavior.
If, on the other hand, your question is, “Why can users see another user’s private file?”, then that’s a good question, because that’s not behavior that I would expect. Can you share screenshots of the relevant data structure and privacy settings?
So this is a project management app.
Structure of the Data thing created:
When a user is invited in the project, I add the “Project” to the “Project user List”.
When a file is uploaded in the “Project”, I attach the file to the project through the file uploader. I create a new technical documentation line in the DB. I store in the DB the linked project of the documentation.
Here a screenshot of how is set up the privacy rule
If the file is attached to the project, then access to the Project controls access to the file. If a user can “see” a particular project, then they can also access any files attached to it (assuming the View attached files permission is enabled). So, you should check to see how the privacy rules are configured for the Project data type.
Ok, so I would expect that any user who has a particular project in their list of projects would be able to access any files attached to that project. That also means that if a user doesn’t have a particular project in their list, they should not be able to access any files attached to that project.
If you’re encountering other behavior - such as a user who doesn’t have a project in their list being able to access that project’s files - then that doesn’t seem right.
Of course, none of this changes anything about Docusign not being able to access private files.
But when I open the file and copy the URL.
Then I past this URL in a private session of Mozilla the file is opening.
Same with Chrome.
That would be strange if someone from another project could see the file as in the privacy rule it is specified “This project” and not “All project”.
Regarding docusign, I add a token (generated in the settings/API tab) into the file url so now I am able to send. I do everything the back-end through API workflow.
But still what is the point of checking the box “Ignore privacy rules when running the workflow” if it is not ignoring.
In the File manager, is there a value in the Attached to column?
If so, that means it’s private. If it’s private and you right click the file name and copy the link and then paste the link into a private browser window, I would not expect the file to be accessible.
All my files are private and attached to a thing, and all can be opened in all browsers, private session or not.
Ok, that’s not behavior I would expect. Perhaps it’s something related to sessions on your system. Have you tried it while logged out of both Bubble and your app?
If you want to PM me a link to a non-sensitive private file, I’ll see if I can access it. I suspect I would not be able to, since Docusign can’t.
Hi Steve,
From my understanding, the only difference with Private files (files Attached to a Thing) is they have a signed URL with an expiration of 5 minutes. So, anybody that receives the full URL with a valid signature at the time of the HTTP request can access that file.
Thanks for the reply, Fabrice. The only problem is that what you describe matches neither my experience nor the documentation. The intended behavior is described in the manual both here and here.
My experience has always matched what’s described in the docs - i.e. that any user who can “see” the thing to which the file is attached can also access the file itself, as long as the View attached files permission has been granted in the privacy rules.
Mine don’t. That’s what’s odd. @akoziol and I actually exchanged a few private messages, and I noticed that our private file URLs are distinctly different. His were as you describe - that is, an S3 URL with several privacy related query string parameters - whereas mine aren’t. Mine are a Bubble URL; and so the file, which is hosted on S3, is behind a Bubble endpoint that controls access to it.
I don’t know if this issue is related to regional differences in AWS services across the globe, country-specific privacy regulations, or a Bubble bug or what; but @akoziol said he’d contact Bubble support and report back. I’m eager to learn what the issue is. Meanwhile, things seem to work for me as documented.
Thanks for the detailed reply Steve, this explains a lot! 
I always found that the privacy rules for a private file didn’t respect the documentation and the expected behavior of a private file.
[...] other users will not be able to see that picture, even if an image displays it or if a user has a link to the image file
We’ll wait and see what reply @akoziol gets from Bubble that might explain this discrepancy.
