Looking to make my server more secure at this moment my Firebase Security Rules are
{
"rules": {
".read": "auth.uid != null",
".write": "auth.uid != null"
}
}
The above rule would allow anyone that has a user credential to change data. This would make the data insecure therefore what I am looking to do is change the security rule so that only the owners of the data are allowed to change their information. please note that my data structure on the real database has two nodes
Please see the attached image below
We just want to secure posts the code I am trying to run and it's not working
{
"rules": {
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
The error I am getting is simulated read denied
Related
I relatively new to firebase real-time database. I am trying to make userPosts publicly available and the user who created the post should be able to edit and view their own posts. I am struggling to make the post public and only the user who owns the post should edit it. Bellow, is the firebase database rules. When I try to simulate it to edit userPosts, it gets denied. Don't know why it happens.
Sorry for my bad English. Let me know if I need to provide more information.
{
"rules": {
"users": {
"$userId": {
"profile" :{
".read": "$userId == auth.uid",
".write": "$userId == auth.uid",
}
}
},
"userPosts":{
".read": "auth != null",
"$userId": {
//".write": "auth != null",
".write": "auth != null && auth.uid == $userId",
}
},
}
}
this is the image of firebase simulate image
Firebase simulate details
In your simulator, your UID is d62cf9b9-265b..., but your edit is at userPosts/userId literally.
Your edit should be at userPosts/d62cf9b9-265b....
I have a database like this:
The first key is the userId, has to be connected, and the next keys only him can read and write. How I can manage the rules to be safe and no one can't see the key of each other ? I begin with that but I don't think is enough
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
Because you are using the user ID as a key you can use it in your rules to make sure users can only read/write to their own nodes like this:
{
"rules": {
"$user_id": {
".write": "$user_id === auth.uid",
".read": "$user_id === auth.uid"
}
}
}
For more information you can take a look at the firebase docs about User Based Security and Securing Data. For a more extencive answer about linking users to their data you can take a look at my answer here.
I am new to firebase and I am building a small SPA.
I could set the security rules like the following. (Only authenticated user can read or write his own projects.)
{
"rules": {
"users":{
"$uid":{
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
This works fine but when I sign in to my app, inspect the source code and try adding hidden extra objects in project form, firebase still accept it.
In this screenshot, the objects such as blablab, blablabla are added from Chrome's inspect tool.
As the data structure has to be like
users-->userId-->projects-->unquieKey-->project_title
But after I added it, the db structure is messed up.
I want to know that how can I prevent someone sending extra data or spam objects?
When you use this:
{
"rules": {
"users":{
"$uid":{
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
It means only authenticated users can read and write to the database. So every user who was authenticated will be able to send data to the database. To prevent spam, you need to think of a way(maybe a function that prevents user to write specific words to the database)
You can also use validation, that can help a bit:
{
"rules": {
".validate": "newData.isString() && newData.val().length < 100"
}
}
more details here: https://firebase.google.com/docs/database/security/
You can use this:
{
"rules": {
".read": true,
".write": false
}
}
to prevent anyone from sending data
I'm new to using Firebase (I'm using react-redux-firebase, but not sure if that's relevant to this question). I'm having an issue using these standard auth rules:
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
This is user UID as shown in the Firebase Authentication dashboard:
But if I print out the data associated with the profile/account, I get this UID:
Because of this mismatch, the logged in user is unable to read or write to the firebase instance.
Why is there a mismatch in UIDs? How can I solve this issue?
UPDATE:
It looks like the 1091103… UID is provider-specific and not relevant in this case? Can't confirm that for sure.
This may be the actual auth UID (I'm new to this, so still trying to figure out what's what):
In this case, this UID matches what is seen in the Firebase console. If they match, then what would be the cause of the permission denied errors?
ANOTHER UPDATE:
Here's the user node. You can see the UID as the key:
This is the rule you can do right now
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
if you want to check like below
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
you need to store the users to realtime database while register. with their auth.uid as key.
I'm building a new application using firebase authentication and realtime database. I understand how to secure a location in the database so that only a specific authenticated user can write to it, as per the documentation:
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid"
}
}
}
}
I want to secure a location for one or more users. I'm not sure whether that is possible and if so, how would I structure the data. The data is a list of shopping items that one or more users can update, while all other users can view the shopping items. All users are authenticated, but one or more of them is designated as the shopper, so they are allowed to add and remove items.
Thanks
Craig
Just in case someone stumbles across this, a member of the firebase forum was able to answer the question and I ended up with the following database rules:
{
"rules": {
"users": {
".read": "auth !== null",
"$udser_id": {
".write": "$user_id === aith.uid"
}
},
"shops": {
"$shopID": {
"items": {
".read": "auth != null",
".write": "data.parent().child('shoppers').child(auth.uid).exists()"
},
"shoppers": {
".read": "auth != null",
".write": "root.child('users').child(auth.uid).child('scheduler').val() == true || data.child(auth.uid).exists()"
},
"boxes": {
".read": "auth != null",
".write": "auth != null"
}
}
}
}
}
This was based on an article here: https://firebase.googleblog.com/2016/10/group-security-in-firebase-database.html