Flutter firebase realtime db to use displayName in Rules - firebase

I updateProfile with a display name. I then try to access this display name in the database security rules. But the displayName on the database is not updated.
This is using Firebase realtime DB with Flutter.
Code:
await referencedData.firebaseAuth.currentUser.updateProfile(
displayName: 'gameName' //that only the players know about
);
In my rules I have:
".write": "!data.exists() ||
auth.displayName == data.child('gamename').val()",
//rules meaning no data exists, so owner can create a new game or
//game name already set in database, I know this gamename, and it is in display name, so I can write and delete
I have spent 3 days or more searching for documentation or examples. Any ideas on where to look?

All properties are available under auth.token, and the display name is available under auth.token.name.
So:
".write": "!data.exists() ||
auth.token.name == data.child('gamename').val()",
Also see the Firebase reference documentation for auth.token.

Related

How to disable a firebase realtime database

I have created a demo realtime database on firebase console. There is no data in it yet. I want to deactivate & delete this demo realtime database, but don't know how.
The Disable button is grey, indicating I need to remove data before disabling. But I cannot find the data anywhere.
Check if this post is usefull.
It seems that all you have to do is set these rules in the rules tab of your database:
{
"rules": {
".read": false,
".write": false
}
}

Firebase database security rule, check auth.email in resource.data

Error [firebase.firestore] FirebaseError: Missing or insufficient permissions.
I have an object that a few users are allowed to update. An admin will set their email, and these users who sign in with those email will be allowed to update.
These are the rules that I have tried:
allow update: if request.resource.data.managerEmails.val().contains(request.auth.email) && request.resource.data.id == resource.data.id;
allow update: if request.resource.data.managerEmails.contains(request.auth.email) && request.resource.data.id == resource.data.id;
allow update: if request.resource.data.managerEmails.includes(request.auth.email) && request.resource.data.id == resource.data.id;
The resource to update:
{
id: "someid",
...fields,
managerEmails: "abcde#email.com,anothermanager#email.com",
}
User auth who is updating:
{
uid: "rSTLnYD9aisyZJHQPC6sg7mlsZh1",
email: "abcde#email.com",
...
}
Update:
Using request.auth.uid has been working in other rules, but in this case, I have to use emails because the users might not have signed up yet.
Using Rules Playground, I get Property email is undefined on object. Maybe using request.auth.email is not possible?
I was having the same problem but switched from using firebase.auth.email to firebase.auth.token.email and it now works.
I strongly suggest doing two things.
Firstly, store UIDs instead of email addresses. A UID is the preferred way to identify a single Firebase Auth account and is always guaranteed to exist and be unique. Email addresses are not.
Secondly, store the list of users as an array type field instead of comma separated string. This will be much easier to manage overall.
After you do these two things, the rule becomes simple:
allow update: if resource.data.managerUids.hasAny([request.auth.uid]);
use: request.auth.token.email insted request.auth.email
documentation here

How to hide specific node in firebase realtime database

I have 2 questions related to firebase realtime database.
Q1) Is it possible to hide a certain node from public and only one person have access to that node ?
( I want to save a transaction key in database and only 1-2 persons can access that key from database. )
Q2) If my security rules for database are set to public, can anyone download/access complete data or they must know the structure in order to access data from database.
A1/ Yes it is possible to limit access to a certain node to a only subset of users. There are several approaches for that. If it is a small and more or less stable subset of users, you can check if their uid is contained in a specific node listing the admin users uids, as shown below:
{
"rules": {
"secretnode": {
//only an admin user can read
".read": "auth != null && root.child('adminusers/' + auth.uid).exists()"
},
"adminusers": {
".read": false,
".write": false
},
"othernodes": {
".read": true,
".write": true
}
}
}
And, for example, in the database you save the admin uids as follows:
DBRoot
- adminusers
- uid1
- name: "aaaaaa"
- otherDataItem: "xxxxxx"
- uid2
- name: "bbbbb"
- otherDataItem: "yyyy"
A2/ Yes, if your security rules for database root are set to public, "anyone (can) download/access complete data". Note that, as explained in the documentation:
Shallower security rules override rules at deeper paths. Child rules
can only grant additional privileges to what parent nodes have already
declared. They cannot revoke a read or write privilege.
In other words, this means that if your security rules for the database root are set to public anyone can download the full JSON tree representing your data, without the need to know its structure.

Firebase security rules - writing from Firebase functions

I'm trying to implement proper Firebase security rules and ran into one challenging issue. I've got public listings which should be viewable by all, can't be deleted or edited by anyone except by the author of the listing. When someone buys (via PayPal plugin) a given listing, I need to write to this listing changing it's status to SOLD. Essentially this is like a third party (not the listing author) has to write to a given listing.
Here are the rules I have so far:
"listings": {
".read": "auth.provider === 'facebook'",
"$listingID": {
".write": "auth.provider === 'facebook' && ((!data.exists() && newData.exists()) || root.child('listings/'+$listingID+'/UID').val() === auth.uid)"
}
}
I have a feeling that I need to write to Firebase from my backend (Firebase functions), but I'm not sure how the security rules will work out, as it would still be the buyer (3rd party) upon whose request we'd need to write the new status SOLD to the listing node which is only editable by the author.
Any advice/recommendations on how to go about this situation will be highly appreciated!
Many thanks!

Firebase DB rules simulator allow read and write by unauthenticated users

The simulator allows read/write to Posts key, but the results are correct for the Users key rules. Each post under Posts has a uid value representing a user in Users key.
Are my rules wrong or is the simulator wrong? Be gentle, I'm new to Firebase. :)
Two equals:
Redacted Data view: https: // i.stack.imgur.com/GaYMj.png (remove spaces around "//")
Try changing your rules to check that a uid child exists. For example:
".read": "data.child('uid').exists() && data.child('uid').val() === auth.uid"
Based on a quick test, I think what is occuring is that when a uid child does not exist, the evaluation of data.child('uid').val() fails and is handled by assigning it a value of false. Similarly, because the user is not authenticated, auth is null and auth.uid also evaluates to false. So your rule effectively becomes ".read": "false === false", which is true.
When I first simulated a read using your rule and I did not have a uid child in my database under /posts/1, the read was granted, as you reported. When I added a uid child, it was not granted.

Resources