We have an email unsubscribe page that enables users to be able to update their email preferences without logging-in. We’re able to validate that the user is who they saw they are based on unique keys that are passed into the URL (from emails we send them).
Currently, we’re storing this user as a custom state on the page so it’s easy to reference throughout the page without extra lookups / verifications that the keys match.
Two Bubble security questions:
- Would it be possible for an end-user to manipulate which user is stored in that custom state such that it’d enable them to view the email preferences for other users since the page is personalize to the user in that custom state?
- Would it be possible for an end-user to manipulate which user is stored in that custom state such that it’d enable them to edit the email preferences for other users since we’re not requiring the end-user to login on this page?
Thanks!