Forum Academy Marketplace Showcase Pricing Features

(Solved) Making attachment private? Bug?

Help please!

I am trying to make an attachment private to the thing that owns it but i don’t have a clue how to setup the privacy rules for it. Can someone share an example please. I have tried almost everything

How can i stop the user from view the image by going to its url?
https://s3.amazonaws.com/appforest_uf/f1477209741822x693847950082272300/Capture.PNG

Alright so i have checked with default privacy permission and i turned off all the privacy rights for “Everyone” rule. Everything works as expected except for view attachment privacy rule. I would appreciate some assistance to see if this is actually a bug or if i am doing something wrong!

Can you share your app (or at least some screenshots of the privacy settings and file uploader element)?

Hello @emmanuel

The privacy setting for where the attached file is setup like this

The idea is whilst your logged in you can open and view the attachments but if your not logged in or have a direct link to the file you should not be able to open it.

The files are attached to the “agreement” thing like this

Link to the editor

Link to run mode
https://ahmedra.bubbleapps.io/version-test?debug_mode=true

User: [email protected]
password: *A1b2c3d4

And do you have a situation where a logged out user is seeing something he shouldn’t be able to see?

If the user is logged out and has a link to the file URL then he has direct access to it. The privacy settings for the field level seem to work fine but the file/attachment level are not working

1 Like

Hello @emmanuel

Any update on this? I have to present for the team early next week and this is still posing a privacy issue as the attachments stored are sensitive.

Thanks

Can you create a simple page where someone would log in and try to see the file. The current setting doesn’t make things super easy to help. The simpler page, the better.

Here you are

https://ahmedra.bubbleapps.io/version-test/simple

So I don’t think we have a bug here, I think it’s more about understanding what the setting offers.

By making attachment private, we mean that a user will be able to see the file using the URL (or get the image displayed) if has rights to see the thing. So in your case, if the user is logged in, he can see the item in searches, so he’ll be able to see the files.

OK. But what if a non user has URL. He can still see the file

So what do think is the best approach here? My ultimate concern is for non logged in users to not be able to see the files even if they have the URL

So we just pushed a fix to the image uploader, we were processing this for the file uploader. Now the URL you’re getting will be protected. make sure to have a thing to attach to when the file is being uploaded.

2 Likes

Thank you Emmanuel. Project completed :smiley:

I was silently watching this topic and now I have something to add. Bubble now made our apps safer than Facebook and Google (Photos). On both you can also access an image by URL on incognito mode. :lock:

2 Likes

Does protection if set up correctly in privacy, only work for the image uploader and not for the file uploader?

It’s the same for both