Hello all, especially @emmanuel and @josh
I have a fundamental design question related to page security. In most web based application frameworks I am used to the general design for security is that regardless of what methodology you use for assigning permissions, the page ultimately evaluates said permissions and sends you on your way if you don’t have them. It does this BEFORE the page actually loads, all “server side”.
Obvsiously there are all sorts of exceptions to that. Sometimes a page loads and parts of the page (components, etc.) have indepdndent permission checks, but still, it is all done before a single visible action happens.
If the application has a more client side design/single page architecture where every loads to the lient and then displays according to permission checks that happen post server, the framework inevitably allows the client components to come across the wire hidden by default.
Here is what I am seeing with Bubble (and I indicated this in a previous post
that never got traction as well as a bug report). You can do a workflow redirect but it happens after the page loads so elements can be seen that may contain data, so your solution is to hide everything on the page for load and use conditional “is page loaded” logic to show everything and then process your redirect workflow before processing your conditionals, except, you have no control over when conditionals evaluate vs. workflows, so this is not a bulletproof solution.
You can do the same thing as above but set the conditionals to check a page level custom state (say shouldLoadPage) that defaults to No and then use workflow to evaluate your permissions and set the page state to Yes if permission exists.
And yeah, that might work, but custom states are page level so you have to create one for every page, and put the same workflow logic in every page and write a special conditional for every group on the page or put a single gourp that holds all your other groups and write the conditional for that…phew.
What a mess. I read another post where someone said “I create an interstitial page that does the checking first”. Yuck.
It all seems…so hacky.
So what is the recommended way to do page level security in Bubble? Is there some reason there is not a simple, reliable way to redirect before everything loads like most frameworks allow?
Am I missing a way to do this that is simple and logical and not just a “I found a workaround that I like”?
If not, shouldn’t there be?
I think Bubble is amazing, and I know that a lot of the problems I have had over time have been because of my inability to adapt to the Bubble way, but what I have always been happy with is that when I do take the time to shift my mindset, I can usually find a solution or I can count on someone in the Forums to have found one. That is wonderful. But I can’t seem to see my way around this one.
Can anyone, especially a representative from Bubble, comment on this?
Many thanks in advance, as this one has been frying my brain for a while.
Marc
*Note - I know about Data Priacy but it doesn’t seem to be a solution for THIS issue.