I have a publicly visible data type CODES which contains thousands of unique purchase codes.
First time users who bought access to my app need to provide a unique purchase code, and the app will search through CODES to see if the code is valid, before creating an account for the user.
I can’t seem to restrict privacy on CODES, as the user account is not created yet.
The page contains the only workflow to search through CODES.
Is this secure? Or prone to hacking? Can anyone somehow read my table of CODES since it’s “publicly visible”?
I’m afraid public means public. However there is a trick to overcome your problem. In short you add onto the User the code (for example on page load) and have a privacy rule that is “user’s code = code”. (even if it is a temporary user)
I learnt about this trick in the security guide ebook that available from
The ebook explains it and shows you how to do it. In short you look at developer console of the browser. Bubble have made improvements to make Bubblers more mindful of privacy rules recently however read the ebook and you will be as expert as anyone.
I’d persevere and double check everything - I use the same technique and it works.
different to me I don’t set the code - I set the ID of the matched thing - so my rule is does ID = ID of Thing. But shouldn’t matter.
Are you sure your are setting the code? Is the code matching case sensitive? (Obvious stuff I know but worth double-checking before looking for more difficult answers)
I’d suggest you make the simplest possible prototype in isolation of your main app to prove that it works (or not). (I bet you it works )