Have you looked at your logs to narrow down time stamps and/or looked at the “Created By” field to see which user created the new entries? Do you have anyone added as a collaborator on the app? Is it public/private?
Yeah, I’ve looked at the ‘Created By’ field to try and narrow it down. They’re seemingly random users who’ve created the entries. The thing is, there is a field that should auto-populate with certain values that are not being filled in. What’s more concerning is the loss of data. I’m not sure what clues I can use to see who is deleting data. I’m not on the professional plan, so I don’t think I have any logs to sift through?
Log reporting should be included In every package in my opinion. Exactly because of this. At least simple reporting. Maybe not huge dashboards or with great detail, but any paying owner should be able to at least know what is happening in his app. Or maybe as priced add-on. But at least have the option
That is indeed the right question. Was the app protected in run mode by a password or not? If it isn’t, anyone can find the URL and use the app. It’s not a hack, it is that the internet is an open, public space.
If you want to make sure that doesn’t happen, you should add a password in run mode and of course make the app editing private as well.
You can do this by setting a page load event and redirect users that shouldn’t access some pages. That offers more flexibility to the app builder, and performance wise, checking this for each page would not be efficient.
I’ve done this but was testing it recently to see if it is strong enough. It is not - it is extremely easy to get around. Rather than document how here, I will reach out to support and let you know (bug report).
Regardless, far more peace of mind would be available if you just let users set this per page.
These are excellent and mandatory practices every single Bubble developer needs to implement. If you aren’t doing these things, you are compromising your app and your users’ data. While the Bubble team can make some things easier, it is ultimately up to the developer to build out robust security measures.
Regarding this, when we define some custom action in the workflow editor, do we need to put conditions on the custom action itself, or only in the steps/workflows that call it ?
Just as the “Performance Q&A Guide” thread, it would be interesting to create a “Security Q&A Guide” thread