Some explanation about links to files (Amazon, Cloudfire?) and privacy settings?

Hi, I’m wondering if someone can give me an explanation as to why I get two different links to the same image, depending on from where you access the image (Database link or exposing Data api).

I have included a new field type image inside a data type. To access that image a get this link from the database (link is not real),

If I expose my Data api i get this link in the JSON (link is not real),

Why are these two links different? One uses amazon and the other cloudfront.

My other question is why are these links accessible if I have privacy rules that only give access to those files if the user is logged in? What am I missing? Is this a bug?


Anyone or someone from Bubble @eve have an explanation for this?

Images are still visible.


What I think:
If you enable cloudflare, the link store in DB is amazon, but when you reach if from Bubble, this will use cloudflare for performance reason.
About privacy: Did you try to enter the url into a different browser / session? Don’t forget that when you open the link in the same browser session that you already logged in with Bubble, it will work, you are logged in. Try to log out and try to fetch the link. Also, be sure that you use attach file feature in uploader.

Thanks @Jici for the reply and the explanation about the links.

In relation to privacy and permissions, I opened the image in a new incognito window (user not logged in) and I can still see the image. What exactly do you mean with ‘use attach file feature in uploader’? The image is saved as a new field in a data type. I will pass this on to bubble as a bug to see what they say.


With the uploader element (to upload a file) There’S an attach file to field.

I generally “attached to current user” which provides privacy around the file. Once you have this setup, try opening the file in another browser or not being logged in. You should see an unauthorized error.

1 Like

Thanks @Jici and @gilles, but I’m confused. I don’t want users to be able to attach images. They are images that already exist in a custom data type but I want them to be only accessible by logged in users.

Am I understanding that I first have to upload the images to the custom data type as a user and then delete the file uploader element? Is that that what you are saying? Is this normal? Surely this can’t be right if there is aleady a privacy rule applied to a custom data type, but its not applied to an image field, right?


Read this first and this section:
Make this file private

Thanks @Jici,

So if I understand correctly, if I want to upload private images to a custom data type (A static list used across my application), I can’t simply upload the images directly to the database and make them private, instead I have to create a page with a repeating group and use the file or picture element to manually upload the files privately to the database and then delete the page (why would I want the page, right?) since this list will be used for a dropdown like a list of countries or days of the week.

I sent an email to Bubble because this method seems totally twisted. I understand it if you want to do this from the Frontend for the end user, but this makes no sense if you simply want to add a list of private images through the backend dependent on permissions.



Hi Mangoly, there was a response from the bubble?

Yep @climaagil.bubble, the only way is the one mentioned in my early post.