I need to allow only 2 specific uid for write access and I can't publish with my current rule:
{
"rules": {
".read": "auth != null",
".write": "auth != null && auth.uid === 'abc123' || '123abc'",
}
}
It keeps complain "rule regulation may not contain '|' operator" and
"right operand for '||' must be boolean", which ever i used.
How should I change my rule to achieve what I want?
Any help will be much appreciated.
The word after || is actually not a boolean, it is just a string. Please, check my fixed code.
{
"rules": {
".read": "auth != null",
".write": "auth != null && (auth.uid === 'abc123' || auth.uid === '123abc')",
}
}
Related
Does anyone know why I can't use this snippet from here https://firebase.google.com/docs/rules/basics#realtime-database_2
It looks like a documentation mistake because in Firestore you would write request.auth.uid while in the RTDB you just write auth.uid.
{
"rules": {
"some_path": {
"$uid": {
// Allow only authenticated content owners access to their data
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid"
}
}
}
}
I try to allow write for a list of uid using, auth.uid in ['ciAujxIqXQSdaaaaaaaaaa', 'bbb'], but that's not the correct syntax, how can I do this?
{
"rules": {
"orders": {
".read": "auth != null",
".write": "(data.child('uid').val() == auth.uid) || auth.uid in ['ciAujxIqXQSdaaaaaaaaaa', 'bbb']",
".indexOn": ["negative_epoch"]
},
"users": {
".read": "auth != null",
".write": "auth != null",
},
}
}
There is no in operation in the security rules language for the Realtime Database. So you'll have to do an or yourself:
"(data.child('uid').val() == auth.uid) || auth.uid == 'ciAujxIqXQSdaaaaaaaaaa' || auth.uid == 'bbb'"
I usually find that after adding 2 or 3 UIDs this way, I create a new top-level list in the database to hold these UID:
"admins": {
"ciAujxIqXQSdaaaaaaaaaa": true,
"bbb": true
}
And then check against that list in my rules:
"(data.child('uid').val() == auth.uid) || root.child('admins').child(auth.uid).exists()"
I'm trying to restrict the "Stores" write to the owner only, but the "write" rules does not seem to work
"Stores": { // restrict "Stores" write to the owner only
".read": "true",
".write": "auth.uid !== null && auth.uid === newData.child('ownerID').val()"
}
... and surprisingly neither does this..
".write": "newData.child('ownerID').exists()"
However it works with this...
".write": "auth.uid !== null"
But it is not as secure as how I want it. Can anyone help please?
You've defined the rule on the wrong level. Right now you're controlling who can write to the /Stores node. But what you want to do, is control who can write an an individual store, so /Stores/$storeid.
Something like:
"Stores": {
"$storeid": {
".write": "auth.uid !== null && auth.uid === newData.child('ownerID').val()"
}
}
I'm looking for some advice or a possible solution with tightening up my firebase rules.
This is my user tree in Firebase:
users
|_male
|_uid
|_female
|_uid
The UID will be an epoch timestamp when the account is created which will be a signed integer.
These are the firebase rules which basically ensures the user has logged in and authenticated with Facebook before they can read or write to users:
"users": {
"male":{
".indexOn": ["uid"]
},
"female":{
".indexOn": ["uid"]
},
".read": "auth != null && auth.provider === 'facebook'",
".write": "auth != null && auth.provider === 'facebook'"
},
I only want users to read/write to their tree, for example:
users->male->uid->1233254...
I'm afraid with my rules above, they could potentially read and write from/to another users tree.
It would be great if I could compare the app UID with the Facebook UID.
I do capture this detail in another tree on the database e.g:
user_fbuid
|_fbuid
|_facebook:a1244dxs
|_uid
I do have better rules here that check against auth.uid:
"user_fbuid": {
"fbuid":{
"$fbuid": {
".indexOn": ["fbuid"],
".read": "$fbuid === auth.uid && auth.provider === 'facebook'",
".write": "$fbuid === auth.uid && auth.provider === 'facebook'"
}
},
},
If anyone has any ideas, I'd love to hear. Thanks
I ended up using the facebook id attribute as my own uid and the rules below:
"$uid": {
// only the user can read and write to their tree
".read": "auth != null && auth.provider === 'facebook' && auth.token.firebase.identities['facebook.com'][0] === $uid",
".write": "auth != null && auth.provider === 'facebook' && auth.token.firebase.identities['facebook.com'][0] === $uid"
},
I have this collection
"connection-requests":{
"push-key1":{
"foo":"bar",
"biz":"baz",
"user1":{
"some-info":"",
"uid":"user1uid"
},
"user2":{
"some-info":"",
"uid":"user2uid"
}
}
}
I want this collection to be readable and writable only by the two users whose uid is present this collection.
This is my database rules:
"connection-requests": {
"$key": {
".read": "root.child('connection-requests').child($key).child('user1/uid').val() == auth.uid || root.child('connection-requests').child($key).child('user2/uid').val() == auth.uid",
".write": "root.child('connection-requests').child($key).child('user1/uid').val() == auth.uid || root.child('connection-requests').child($key).child('user2/uid').val() == auth.uid",
}
}
Im accessing the data using this request :
db.ref('connection-requests')
.orderByChild('user1/uid')
.equalTo(uid) // <- auth.uid of user
.once('value')
.then()
.catch()
The rules above doesn't work, my guess is that there is something wrong with .child($any) part but Im not sure what.
Thanks in advance.
The closing double-quote for each rule is misplaced. Instead of being at the end of the line, it is following the OR operator:
auth.uid || "root.child
^
^
Should be:
"connection-requests": {
"$key": {
".read": "root.child('connection-requests') ... == auth.uid",
".write": "root.child('connection-requests') ... == auth.uid",
}
}