Forum Academy Marketplace Showcase Pricing Features

Upload file as private doesn't seem to be working

I am using Multi File Uploader to upload a file.


I have already ticked the option “Make this file private” and attached to the current user.

After uploading the file, I am using a workflow to save the file’s URL into a table with :save in s3 option


However, the file is not access controlled. Whoever has the URL of the file can open it directly without login to the system. This impose a very big security risk. Please help as I have been struggling with it a lot for my current project.

It may have something to do with privacy rules. Have you read the documentation

Hi Lockymadera,

Yes. I am already using that

But it doesn’t seem to be working.

I couldn’t find more detailed documents either for such

Hmm I’m not sure why everyone can see it. Are you uploading them as an actual account or non logged in?

I firstly logged in the system. As per the screenshot, I have my logged in email displayed. I have a repeating group to display the file URL that I uploaded.


Oh it says when current user is logged in. I think that means if any user is logged in they can see it. Maybe if ‘Current user {is} this item’s creator’.

Still same. In fact, I am opening it in a different browswer. So either way should not allow user to be able to view

Hi @tony.chen,

Di you figure out why the privacy rule was not working? I have the same problem. I don’t want images to be viewed by other users or users that are not logged in, but the privacy rule does not seem to work.


Does anyone got a solution from this? I have the same problem, trying to upload simple profile photos to a users profile. The privacy rules doesn’t work, the images are all still visible via direct links for everyone.

I read there is a solution by using file attachments instead, creating a thing first and then attaching files to it. I don’t quite understand how to make this work. Does anyone got a workflow example for this? Thanks

1 Like

I have the same problem. Did anyone solve the problem???

1 Like

Give it a look into this thread Images in private app

Maybe will help you all

Thanks for the link, but it didn’t help.

Actually I’m doing what everyone is describing. I’m creating the database thing first, and then attaching the image to that with privacy rules set.

The problem is when you put this image into the app and show it in a repeating group for exampe, you can still right-click and get the link to the image which can be shared and accessed by any other browser.

I seem to get two types of link when I do this. Either the direct link to the image similar to this:
This gives the “Access denied” on other browsers as it should be.

but sometimes i get this kind of link:

This link gives everyone access to the attached images. Im aware that there is some kind of access User ID sent with the link.

Is there any way to prevent this accessible links from being created?

In a scenario where you have a paid app in order to get access to images for example, this is a potential security flaw.

(The links above dont work, Its just as an example on what format they have)

To be honest, the major flaw for me is how this has to be done, you should be able to make images private just setting the privacy rules for the data.

But I’m having a similar problem, don’t know if you can prevent accessible links from being created. Don’t know exactly why all images aren’t just like the first link, looks like is stored inside bubble domain.

Can you share how your workflow is working?

Yes, there are two workflows. First one creates a think that’s supposed to hold the image, in this case it’s a post.

When that is created the workflow then triggers a popup to show up which has the image uploader and another button. This button triggers the new workflow which updates the previously created post with the image.

I’m not sure if this is the correct way to do it at all, but this is how I understand it needs to be done by reading the forums.

A lot of hassle just to get images private.


If it is two separeted workflows, remember to ensure workflow order. After reading this thread I linked, I do everything using custom workflows and page states to manage the correct order of execution.

Looks like you are doing everyting right, I guess that your image uploader is with “make this file private” checked and attached to the thing of the user, not to the user itself, because you got a safe link too, the one in “yourapp” domain.

I’m doing something very similar to yours using custom workflows.

Yeah, I agree.

Actually I’m attaching the image to the “post” created in the initial workflow, and not the user. I will try changing that, maybe that’s what’s failing!

No no, I think you are doing right attaching it to “post”.

I’m doing the following schema for my users profile image:

  • I’m using Users Data Type to create/store my users;

  • I’ve a users_image Data Type, with two fields, Users, type Users, and image, type image aswell;

  • Both Users and users_image have privacy rules, using “When Current User is logged in” as condition.

My workflow of saving a profile image to the user actually saves the image in users_image, it’s where the upload element is attached too, and that’s what I’m displaying in users profile Image Element, with a “Do a search for: users_image”, with User = Current User.

Don’t know if is clear to you how I’m doing this.

From your comments, I think you are doing right attaching it to posts, I say that because you got this link (https://bubbleapp/version-test/fileupload/f1636553572063x758580389872973000/xxxxxxx.jpg), a safe link.

I have discovered now that these “unsafe” links containing AWSAccesKeyID etc expire after a few minutes. But they still work on any browser during that time.

In my case the unsafe link is created when I right-click on the “private” image and choose Open in New Tab.

This way you can copy the unsafe link directly from the new tabs browser address bar and it will provide access to the image for some time to anyone.

Can someone else try this and confirm? Is there a way to disable this?

1 Like

I confirm.

No way of disabling or configuring time window.

I got a reply from bubble support that this is the way it’s supposed to be. The link is valid for 5 minutes and there is no way to change that.

As I understand it, any computer with the link can access protected files for 5 minutes, no matter how the privacy rules are set up.