[Upgrade to Bubble Version 23] Privacy Rules Tweak

henry.dowling · May 30, 2023, 9:23pm

Hello everyone,

We just released a new Bubble Version that introduces a tweak into how privacy rules are enforced in backend workflows. This update allows privacy rules to be more powerful, giving you more control over what kinds of data your users can see.

Thanks to @rob.winterbottom for implementing this!

The change concerns expressions that look like “Current User’s X’s Y” and the way privacy rules interact with them. For example, consider this expression:

Current User’s friends:each item’s user’s email

On previous Bubble versions, if the Current User was not authorized to see other users’ emails, this data would (unintentionally) still return the emails of each of the Current User’s friends. On Bubble Versions 23+, nothing will be displayed unless the Current User is explicitly permitted to see this data. More generally, privacy rules are now applied to data types that are referenced by Current User (and also data types referenced by those data types, and so forth) instead of stopping at depth 1.

This new behavior is more in line with existing expectations around the privacy rules work and allows for more powerful privacy rules—and ultimately better security for your apps. Since this change could potentially affect the behavior of existing apps, we’re releasing it as a Bubble version.

You can upgrade to the latest version in the Settings->Version tab. After the upgrade is complete, check any expressions that may be affected and ensure they still work as expected. You may need to adjust your privacy rules!

mghatiya · May 26, 2023, 6:57pm

Which kind of API workflow/ Backend Workflow calls need to be worried about it? We have many of those. How to know? Will it affect backend workflows which do not have any privacy restriction applied (or other way round)?

Please elaborate more. How do we know which expressions may be affected?

henry.dowling · May 26, 2023, 8:39pm

Hey @mghatiya,

Workflows that read Current User’s data type may be affected if privacy rules are configured to not allow the Current User to read that data type. For example, suppose you use a workflow to make changes to [Current User’s partner], set score = Current User’s partner’s score + 1, but your privacy rules don’t allow the Current User to read their partner’s “score” field. Then, this workflow will stop working on Bubble Version 23 (because privacy rules will not allow it to). Note that in most cases there would be no reason you would want to set up privacy rules in this way—we’re making this change anticipating that there are some cases where apps have been relying upon this somewhat unexpected behavior of privacy rules unintentionally, and will have to fix their privacy rules to be more in line with their intended behavior when upgrading to Bubble Version 23.

This change will only affect workflows that use expressions that contain “Current user’s [Data Type]…”, where Current User isn’t authorized to view the Data Type in the expression. So, if none of your Data Types have Privacy rules defined, then none of your workflows will be affected.

Hope this is helpful!

mmahirf · May 28, 2023, 11:27am

(and also data types referenced by those data types, and so forth) instead of stopping at depth 1

So this means that this message below won’t show up anymore?

" Rules that use “This Applications’s X’s Y” can’t grant search access right now"

mikeloc · May 28, 2023, 2:43pm

If that’s true, it’s huge (in my opinion, of course), and there is no way it should be buried in a post about privacy rules that has the word “tweak” in the title.

mmahirf · May 28, 2023, 3:21pm

Will need to test it out. Afraid to upgrade as I don’t want to get into updating my apps now if anything breaks.

adamhholmes · May 28, 2023, 10:24pm

When i first read this announcement that was my thought (hope) as well…

But, it turns out, that’s not the case.

boston85719 · May 28, 2023, 10:24pm

How does the new privacy rule tweak affect our workflow units?

zelus_pudding · May 28, 2023, 10:25pm

[META] I believe this re-write produced by ChatGPT is correct but recommend not presenting what it said as true unless you previously confirmed it to be. GPT doesn’t spit out facts but best guesses of what words it thinks go together in response to prompts… which can include non-facts.

Your post suggests you didn’t understand what Henry was saying, that ChatGPT clarified it for you, and now that clarification is public for all to see. Unless you’ve confirmed the GPT rewrite is correct (as I did at the start of the post), then there’s a better than zero chance you’ve shared misleading information… Really, it’s a toss up. On this flip of the coin I think it all worked out okay but in pursuit of helping people you could have made this (self professed) confusing topic even harder for those none-the-wiser to understand.

It would have been better to have said something like:

> Hey Henry, I was a bit confused by this thread so asked ChatGPT to summarize it for me. Is the following correct? [Insert GPT response].

ramzizi · May 28, 2023, 6:02pm

I’m also going to wait to upgrade. I’ve had trouble with privacy rules in the past where issues have popped up where they shouldn’t have. I don’t feel like breaking my back end and bug testing. I couldn’t really understand the original post too well

DjackLowCode · May 28, 2023, 7:26pm

Hi @henry.dowling, a bit confused about the statement below - are you saying that if the Current user was not authorized to see emails on other users, and this was explicitly forbidden by Privacy rules, this would still be returned to the client if used in search expressions in current versions?

ihsanzainal84 · May 29, 2023, 8:34am

That’s what it shockingly sounded like to me.

ihsanzainal84 · May 29, 2023, 8:39am

Putting aside my surprise that this was a privacy issue I wasn’t aware of before. This tweak looks to like it will reduce data being sent client side and hence reduces WU costs and I’ll smoke a cigarette to that.

cmarchan · May 29, 2023, 4:59pm

I am waiting on other folks to share with us how this change affects their apps.

If I understand this correctly, I agree with @mikeloc and this could cause a big impact on apps if they upgrade.

Please do not get me wrong @henry.dowling . The functionality ROCKS!!!

I am just concerned that making the upgrade may break many apps…

johnny · May 30, 2023, 5:55am

Hey @henry.dowling,

A little confused about the impact of this announcement.

So let’s say:

I have a Thing and that thing is connected to the User type

So with this new update I can’t access Current User’s Thing?

If the user has access to view Thing’s fields, will Current User’s Thing still work?

henry.dowling · May 30, 2023, 9:17pm

Hi all, seems like there’s been some confusion around exactly what has changed in Bubble Version 23. My bad—I’m going to edit the initial post slightly to (hopefully) clear things up. Also, I’ll respond to some questions here:

What do I actually have to do to make sure my app works on Bubble Version 23?

Bubble Version 23 contains a fix to a bug in the way privacy rules are applied to expressions like “Current User’s X’s Y”. If you use an expression that looks like this in your app, and if you have configured your privacy rules so that the Current User cannot access X’s Y, previously expressions like this would still (unintentionally) evaluate. On Bubble Version 23+, these expressions will now not evaluate in cases where privacy rules dictate that they should not be allowed to evaluate. So, to make sure your app is good to update to Bubble Version 23, you should check your privacy rules to make sure that none of them forbid any expressions in your app of the form “Current User’s X’s Y” from evaluating.

Does this mean, that in previous Bubble Version < 23, if the Current user was not authorized to see emails on other users, and this was explicitly forbidden by Privacy rules, this would still be returned to the client if used in search expressions in current versions? @DjackLowCode

Only if that information is rendered in the UI. To be clear, if you don’t explicitly display this information on your app, it will never be accessible to unauthorized users (on any Bubble Version) . However, for Bubble Version < 23, apps don’t have the additional guardrail of privacy rules that would prevent this information from being displayed to the Current user even if you build a UI element on your app to display it.

Does this change affect the " Rules that use "This Applications's X's Y" can't grant search access right now" error message? @mmahirf @mikeloc @adamhholmes @cmarchan

Unfortunately, no. We do have plans to fix this eventually!

How does the new privacy rule tweak affect our workflow units? @boston85719

This change does not affect your app’s consumption of workflow units.

henry.dowling · May 30, 2023, 9:20pm

Expressions like “Current User’s Thing” will continue to work. The only type of expression that will stop working is expressions of like “Current User’s friend’s email” where Current User is not allowed to see their friend’s email due to privacy rules (these types of expressions unintentionally evaluated up until BV23).

johnny · May 31, 2023, 8:03am

Hmm what if I do Current User’s Thing’s Field? But that user has access to view all fields in Thing? Would that work?

Let’s say I wanted Current User’s friend’s email, whats the best way to go about doing that in this new version?

ryanck · May 31, 2023, 9:51am

I feel like Bubble is getting really confusing in terms of everything.

boston85719 · May 31, 2023, 4:31pm

I’m sorry @henry.dowling I was being facetious…I am anxiously waiting for announcements of features that are new and delivered with the sole intention of improving our ability to develop apps optimally with the new WUs pricing structure…basically features that make it cheaper to operate an app, like a search that allows us to designate which fields to return, or improvements to the way the URL parameters and paths are extracted to return the thing from the DB and the many many other new features that need to be added in to keep Bubble alive.