My database:
I want to set firebase rules where user can update existing tags value but not create new tags
If you only want the user to be able to update existing properties, and not create any new properties, that'd be:
{
"rules": {
"$uid": {
".write": "auth.uid === $uid"
"$property": {
".validate": "data.exists()"
}
}
}
}
So this rule validates that a property can only be written if there's already data for that property in the database.
If you only want the user to be able to write a name and address, and not any other properties, that'd be:
{
"rules": {
"$uid": {
".write": "auth.uid === $uid"
"name": {
".validate": true
},
"address": {
".validate": true
},
"$other": {
".validate": false
}
}
}
}
In the above rules we allow writing the named name and address properties, and reject any other properties with a wildcard capture rule.
Related
I am trying to figure out Firebase Rules that will allow my users to only see their data in their App.
Currently this is my Realtime Database File:
and this is my Firebase Set Rules:
{
"rules": {
"users": {
"$uid": {
".read": "auth.uid === $uid"
}
},
"jobs": {
"$uid": {
".read": "auth.uid === $uid"
}
}
}
}
How do i change the rules to be able to let users see their data that is relevant to their userid?
It looks like you're using the user's UID as the key for their data in both jobs and users. In that case, you can ensure that each user can only read their own job and profile with:
{
"rules": {
"users": {
"$uid": {
".read": "auth.uid === $uid"
}
},
"jobs": {
"$uid": {
".read": "auth.uid === $uid"
}
}
}
}
Note that this is almost a literal copy of the sample in the Firebase documentation on securing user data.
I'm having some issues wrapping my head around the database rules and the documentation isn't helping. I am trying to set things up so that only the user can delete their own items, however at the moment I'm getting permission_denied errors. I am assuming that it is because I don't have a read/write rule on the 'items' level. However I feel that if I just added a 'auth != null' rule it would give to much permission. Any thoughts?
the database setup:
users:
{
user_1 {
items:
{
item_1: true,
item_2: true,
}
},
user_2 {...},
etc {...},
},
items:
{
item_1
{
user: "user_1"
....
},
item_2
{
user: "user_1"
....
},
}
The database rules look like
{
"rules": {
"users": {
"$uid":{
".read": "auth != null && auth.uid==$uid",
".write": "auth != null && auth.uid==$uid"
}
},
"items": {
"$itemID": {
".read": "root.child('Users/'+auth.uid+'/'+$itemID).exists()",
".write": "root.child('Users/'+auth.uid+'/'+$itemID).exists()"
}
}
}
}
At the moment any user can delete any item.
To ensure that only the owner can delete the item, you need to not just verify that:
"items": {
"$itemID": {
".read": "auth.uid == data.child('user').val()",
".write": "auth.uid == data.child('user').val()"
}
}
There is no need to check if they exist in the /users node as far as I can tell, although you can easily add that back if needed.
But if a user can only read/write their own items, I'd model the data differently:
"items": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
"$itemID": {
}
}
}
This is much simpler to model and will give you much better scalability, since the database only ever has to consider the data for one user.
i am trying to allow my self to be able to read and write everything in the database.
i am getting a read denied error when trying to run this in the firebase simulator.
{
"rules": {
".read": "root.child('Admin').child('isAdmin').child('+$AUID').val() === true",
"Admin": {
"isAdmin": {
"$AUID": {
".read": "$AUID === auth.uid",
".write": "$AUID === auth.uid",
".validate": "newData.hasChildren(['active'])",
"active": {
"active": "true"
},
},
},
},
}
If you want to give a user access to your Firebase whose level of access is determined by the value in another node, something like this may work. (Not tested)
users
uid_0
is_admin:true //your uid
uid_1
is_admin:false
and rules
rules
".read": "root.child('users').child(auth.uid).child('is_admin').val() == true"
".write": "root.child('users').child(auth.uid).child('is_admin').val() == true"
I'm trying to set users to get only own objects. I have a tasks which have 3 attributes on fb-database: task-text, datetime, user. user have user uid. I want to write a rule that allow user to read only own tasks.
So far I have this and it dont work:
{
"rules": {
"tasks": {
".read": "auth.uid == data.child('user').val()",
".write": "auth.uid != null",
}
}
}
You'll want to break up the tasks by user, so you'll have a structure that looks like:
root
tasks
Puf
...
Andrew
...
James
...
This can be secured via rules that look like:
{
"rules": {
"tasks": {
"$userId": {
".read": "auth.uid == $userId",
".write": "auth.uid == $userId",
}
}
}
}
I am trying to prevent unwanted fields to be added to my user objects.
--> A user can have a phone and a username (but doesn't have to --> newData.hasChildren(['phone', 'username']) doesn't work here).
I first tried this:
"users": {
"$uid": {
"$other": {
".validate": "['phone', 'username'].indexOf($other) > -1"
}
}
}
I get an error because of the array :(
So then I thought about doing something like this but it's really not great if I have many potential fields
"$other": {
".validate": "$other === 'phone' || $other === 'username'"
}
Finally, I created a node in my Firebase called 'rules' and did this:
"rules": {
"users": {
"fields": {
"phone": true,
"username": true
}
}
}
And then my new validation rule in my user object is:
"$other": {
".validate": "root.child('rules/users/fields/'+$other).val() === true"
}
My question is: Is this a correct way to restrict field names ?
Thank you very much for your answer :) I am pretty new to Firebase but I am having a lot of fun trying it out!
To restrict an object in your Firebase to only have the specified keys, try using one additional wildcard child that will match any attributes not already specified, and reject the write if it contains one of these unmatched attributes:
"rules": {
"users": {
"$userid": {
".validate": "newData.hasChildren(['phone', 'username'])",
"phone": {
".validate": "newData.isNumber()"
},
"username": {
".validate": "newData.isString()"
},
"$other": {
".validate": false
}
}
}
}