Just to be clear, let’s say I have a Thing in my database that has a user lookup ID (linked field). Even if that unique ID is compromised somehow (assume local access or whatever), it doesn’t override privacy rules for that user’s access, right? Basically, you can theoretically use a user’s “key” to duplicate their access, but it doesn’t ever supersede privacy rules.
Correct, privacy rules are top level access to the bubble database.
From there it returns to the client side. Client side will always only be able to access what the server returned or the public info from George’s thread I linked.
Even if you use your dataAPI and lookup that exact record it won’t be accessed unless authenticated with a user who has access if it’s protected through privacy rules.
2 Likes