Understand Security features - can view but not edit

I know how to implement Privacy in my app. From what I understand this feature controls who can view and find in searches.

If I have a case where I allow users to view but disallow editing, I am controlling it via conditions attached to elements in the page. Is there any risk to this approach where someone with the requisite skill can post data to Bubble’s database after the analysing the underlying code sent to the browser and modifying them to enable editing?

Is there a need to implement a read-access feature on the back-end or it is unnecessary as Bubble has implemented some security feature where only our authorised application has permission to make changes to the database?

1 Like

These are interesting resources on tips to enhance security:

Bubble: Admin & Privacy Tools & Conditions
How To Encrypt & Secure Sensitive Data in Bubble.io
Bubble Privacy Rules Walkthrough

Just my two cents :+1:

Thanks Carlos, however all these features are for encrypting and controlling what a person see. What I am interested is how we can protect our data from being edited by unauthorised persons. I know Privacy rules can prevent viewing but it does not prevent editing. Is there some other mechanism Bubble uses on the server side to secure privileges like php or asp scripting languages where certain server side codes are hidden on render to the webpage?

Cannot provide a direct answer. What I can do is point you to the following:

Please watch min 13:45 > Metisphere in Bubble

And consider reading this post. There is a tool developed by the good folks from Ideable @mattmazzega to check for vulnerabilities in Bubble apps:

Do share your comments please :+1:

1 Like

Wow Carlos, you really have an encyclopaedic knowledge of all the posts here. I thought @mattmazzega post on vulnerabilities is very good. A must read for security.

In reply to your post, I’m afraid it didn’t answer my questions as to whether the pages are safe from others to modifying the pages to submit data when they shouldn’t (they can view based on Privacy but I don’t want them to submit changes). I’m not a strong code reader, hence I do not know whether the connection strings, privileges are openly seen in the raw data sent back to our browser or to other hacking tools out there to exploit.

1 Like

Can anyone from Bubble shed some light on my concern…

Have the same question, anyone know?