Security - Secure your Server-Side data

Docs Security and Login
#1

Wappler knows how important and sensitive server data can be and provides simple setup to ensure it can not be accessed by unauthorised users

Using the security provider tools you can secure your server actions so that no data will be shown to unauthorised users, if they somehow access the link to your server action.

 
Step 1: Here’s our server action, which contains a database query:

restrictApi_1.jpg700×812 121 KB

 
Step 2: Right click the step before the query:

restrictApi_2.jpg700×812 111 KB

 
Step 3: Open the “Security Provider” group:

restrictApi_3.jpg700×812 115 KB

 
Step 4: And press “Add Security Provider”:

restrictApi_4.jpg700×812 93.2 KB

 
Step 5: Load the same security provider, which you defined for the login action:

restrictApi_5.jpg700×812 124 KB

 
Step 6: Then right click the security provider step:

restrictApi_6.jpg700×812 131 KB

 
Step 7: Open the “Security Provider” group:

restrictApi_7.jpg700×812 135 KB

 
Step 8: And press “Add Security Restrict”:

restrictApi_8.jpg700×812 114 KB

 
Step 9: Select your security provider from the dropdown:

restrictApi_9.jpg700×812 110 KB

 
Step 10: And select if this server action requires any specific permissions. In our case it doesn’t require any permissions so we select - “All Logged In”:

restrictApi_10.jpg700×812 112 KB

 
Step 11: Save your server action:

restrictApi_11.jpg700×812 111 KB

And you are done. You won’t be able to preview the server action results (using the preview in browser button) as you are not logged in.

WapplerPrevious   WapplerNext

6 Likes
How 'serious a website' can you build on Wappler?
Using Session Variables
Security Restrict Permissions help needed
Security and Login
Wappler Official Documentation
#2

2 posts were split to a new topic: Connection errors displayed in Wappler

#3

The above post talks about how to secure a database query. So, for example, only someone with admin status can see the results of a particular database query…super useful.

I’d like to know if there is also a way (outside of database query security rules) to protect data and/or files from only being visible to specific users.

For example, let’s say a given user uploads files for storage and then wants view a list of those files later because he may want to download one or more of the files. The database query would be for any user to query their uploaded files, but if the query was carelessly constructed, or if the query were to fail to complete properly, then it might mistakingly show the user a list of other users’ files. I’d like to avoid this by setting some sort of server level data privacy rules that don’t depend on a database query.

Bubble has something along these lines called Privacy and Security Rules , but I’m not certain how to go about it in Wappler.

So basically I’m looking to set a sort of server side data privacy rule that says only the user who uploaded a file should be able to view/download that file.

Any suggestions?

Thanks!

1 Like
#4

Hi Eddie,

What Bubble is doing with the privacy setting is simply adding additional constraints to all of your searches. I suppose that could be considered system level, but I think really it is just automated logic added. It is an interesting concept they implemented.

—Ken

#5

Hey Eddie, I am a little confused by the concern to be honest but I think you are looking at the wording in the security restrict step under it’s properties which say “All Logged In” and are taking that to mean something slightly different than intended.

Permissions are like All Logged In users could have access to move a file from one folder to another, while another database action might be to delete files and you only want admins to have access to that functionality, so in that delete database action you would set the permission to admin rather than all logged in.

As far as each user only seeing their own files that is a completely different thing to All Logged In, that is more to do with the way you have designed your database, and the way you have constructed your database query.

I hope that makes sense.

#6

@mebeingken, it seems correct to say that Bubble’s privacy and security rules add additional constraints to all of your searches, but those constraints seem to apply even when there aren’t “searches” (or database queries as they’re referred to in Wappler). From Bubble’s privacy and security page…

Until you set privacy roles, all data created by your users or yourself can be read by anyone. Anyone with some programming skills can view all your app’s data, even if there isn’t a page in your app that explicitly shows the data to users. That’s where privacy roles are important, they guarantee data is only shown to people to meet some criteria. Privacy rules are enforced on the server, which makes them secure.

When you create a new app, all data is open to the public. This is appropriate for things such as comments on a blog, where you want to share it with the world. However, many apps involve users submitting information that you don’t want to share with the world, such as their names and emails, or comments meant only for people they already know. Privacy rules are the tool Bubble gives you to protect that information and make sure it is safe. If you haven’t explicitly created privacy rules for a given thing, then the data is not secure.

@psweb, I’m clear on “All Logged In” only be one option of several and how the database design comes into play…for example, setting the userID as a foreign key in the in the Files table so that we can associate specific files with the user who uploaded them.

My concern is really about the above quoted paragraphs. I understand they are referring to Bubble and not Wappler, but the description seems like it’d be an issue for any web app unless some kind of privacy/ownership rules are being applied at the server/system level, which would be in addition to any constraints applied to a given search/database query.

Maybe my concern is unfounded when it comes to Wappler? If so, I’d be interested to know why.

Much appreciated!

#7

Hello @eddie5
The security provider and its roles do exactly that and that is on the server level. You can restrict your server actions, so only logged users or only users with certain permissions can access the data (not only database query but any data in your server actions).

1 Like
#8

Thank you for clearing that up, @Teodor. Glad to know there is a way to restrict access to data outside of database queries.

You mention that we can restrict not only database queries, but also any data in our server actions. What kind of non-database query server action would we apply the security provider to in order to accomplish this?

Thanks.

#9

Any server action with the restrict step applied can be secured :slight_smile:

1 Like