In a Realtime Firebase database there are a lot off Childs
And in those Childs the are some more.
What rule's do i add so Read = true
Butt only write to the child "Pupil" and everything in that child
"rules":
{
".read": true,
".write": false
}
"Pupil":
{
".read": true,
".write": true
}
}
I am missing a Expected ',' or '}'.
The security rules for the Firebase Realtime Database as in JSON format, and what you have is not valid JSON. In fact, it's not even close.
I highly recommend using a tool that can show you whether your code is valid JSON (a quick search can help you find one of these).
The closest valid JSON equivalent to what you have seems to be:
{
"rules": {
".read": true,
".write": false
},
"Pupil": {
".read": true,
".write": true
}
}
While this is now valid JSON, it is not a valid set of security rules, as you can only have one top-level event (names rules) in security rules, and the rest of your rules needs to be under that.
To make it into valid security rules, nest the Pupil node under the top-level rules:
{
"rules": {
".read": true,
".write": false,
"Pupil": {
".read": true,
".write": true
}
}
}
So you should be able to save the above in the Firebase console without an error.
You can simplify this a bit to:
{
"rules": {
".read": true,
"Pupil": {
".write": true
}
}
}
The top-level read permission is automatically inherited by all nodes under the root. And by default there is no permission, so the ".write": false on the root is implied here.
Related
Users can able to data when they login in. But I want everyone can able to this child.No matter logged in.
Child is "gunluksifreler"
Here are my rules
{
"rules": {
"Homeland": {
".indexOn": ["username","email","bakiyetl","yarismada","yarismadabb","splashmesaj","uygulama1tut","uygulama2tut","uygulama3tut","uygulama4tut","uygulama5tut","uygulama6tut","uygulama7tut","uygulama8tut","uygulama9tut","uygulama10tut"]
},
"Odultalepleri": {
".indexOn": ["username","odul1"]
},
"Yardim": {
".indexOn": ["id"]
},
"gunluksifreler": {
".read": true, // <-- allows every person
".write": true
},
"Devices": {
".read": true, // <-- allows every person
".write": true
},
".read": "auth !== null", // <-- allows read if logged in
".write": "auth !== null" // <-- allows write if logged in
}
}
It can be read for everyone when I set true last read line
".read": true, // <-- allows read everbody
".write": "auth !== null" // <-- allows write if logged in
But this time everyone can read every child. What I'm missing?
Code
var kullanici = firebase.database().ref();
kullanici.on('value' ,function(datasnapshot) {
if(datasnapshot.hasChild("gunluksifreler")){
alert("yes");
}});
But it's not about the code it's about the rules.
If you don't want anonymous users to be able to read the entire database, you should not allow "read": true at the root level in your security rules.
Then if you want to allow everyone to read kullanici, you should allow "read": true on that node in your rules.
So this part of your original rules looks fine to me:
{
"rules": {
"gunluksifreler": {
".read": true
},
".read": "auth !== null"
}
}
I highly recommend focusing the rules/code in your question similarly in the future, as it ensures we're both looking at the same minimal-but-complete fragment.
The problem is not in the rules, but in your code:
var kullanici = firebase.database().ref();
kullanici.on('value', ...
This is trying to read the root of the database, which the rules explicitly disallow. So this read gets rejected.
A good way to remember this is that Firebase security rules don't on their own filter any data. They merely check whether the read you're trying to do is allows. So the read above tries to read the root, which is not allowed. Firebase doesn't check every child node of the root to only return allowed child data, as the performance of that would be hard to guarantee.
If you want read the kullanici node, you should attach your listener to only that node:
var kullanici = firebase.database().ref("kullanici");
kullanici.on('value', ...
I want to prevent read access for only one node.
let's assume I have nodes like that
"0" : {
//somedata
},
"1": {
//somedata
},
"2": {
//somedata
},
"3": {
//my private data
}
Now I won't want "3" to be read from any connections. What rules should be written there to prevent its read and write access?
I tried using rules like:-
{
"rules": {
"$3": {
".read": false,
}
".read": true,
".write": "auth!=null && auth.uid == 'myuid'",
}
}
If I do this then in the child_added it gives me all nodes also changing "$3" to "3" doesn't matter right now
{
"rules": {
".read": true,
".write": "auth!=null && auth.uid == 'myuid'",
"$3": {
".read": false,
}
}
}
the second one gives all nodes because in the very first line of the rule I used the read key as true i.e working on the cascading rule as .read and .write rules work from top-down from firebase docs Firebase Rules Docs
If any suggestions for the same or different approach I need to do this, please suggest me that?
Thanks, folks!
You were close. As you read correctly, the rules cascade from higher tiers down to the more specific ones. So if you approve the write at a higher tier (as you did for the root of your database) that "allowed" write permission applies to your entire database.
The $ is used to identify a variable name in the path. So when you use "$3" you are actually defining a variable named "$3", not referencing the specific key "3". What you are looking to do is specify a variable that is used for all values that aren't "3", which by convention, is called "$other".
{
"rules": {
"3": {
".read": false,
".write": false
},
"$other": { // any key not named above at this level
".read": true,
".write": "auth!=null && auth.uid == 'myuid'"
}
}
}
This should work:
{
"rules": {
"3": {
".read": false,
".write": false,
}
".read": true,
".write": "auth!=null && auth.uid == 'myuid'",
}
}
1st you are checking, if the data is "3", block it and return. If not check below rules (in this case, allow authenticated users).
I've been messing around with my firebase database rules to try and allow users without authentication to only edit a certain child in my database, but I can't seem to figure it out.
Here is the database structure:
So I'm trying to allow users without authentication to edit the videoID, but not only that, I need the rule to ignore the room id (5555 in this example), meaning it only allows reading and editing of rooms/(roomid)/videoID
Thanks for all kinds of help!
The Firebase Database rules allow variables and can have different rules at different depths.
In your case, the below rules would allow any users (authenticated or not) to access /rooms/$roomid/videoID but only authenticated users to access the entire /rooms/ tree.
{
"rules": {
"rooms": {
".read": "auth != null",
".write": "auth != null",
"$roomid": {
"videoID": {
".read": "true",
".write": "true",
}
}
}
}
}
The Firebase rule simulator (accessible from the Rules tab of the Firebase Database console) is useful for testing rules before publishing:
Maybe something like this :
{
"rules": {
".read": true,
".write": "auth != null",
"rooms": {
"$roomId": {
"videoID": {
".write": true
}
}
}
}
}
It will allow user with authentification to edit another field beside videoID.
But if you want even authentificated user, also can only edit videoID, then the rule is :
{
"rules": {
".read": true,
".write": false,
"rooms": {
"$roomId": {
"videoID": {
".write": true
}
}
}
}
}
Remember, when the rule set true it will not traverse the child rule, But if it set false it will continue inspect the child rules.
trying to get this to work :
{
"rules": {
".read": true,
".write": "auth.uid == simplelogin:2",
}
}
I want just a specific user to have a write control over everything (for now). How do I make this work?
I want allow users to create their account only if they have a token(invitation).
In my firebase Security i have:
{
"rules": {
".read": false,
".write": false,
"users": {
// allow to write if in the invitations there is child equal to token from newData()
".write":"root.child('invitations').hasChild(newData.child('token').val())",
},
"invitations":{
"$invitation":{
".read": "true"
}
}
}
}
as is in the comment i want allow to write if in the invitations there is child equal to token from newData().
From Simulator:
Attempt to write {"token":"evl6yky3vi0pmn29","name":"John"} to /users/99 with auth=null
/:.write: "false"
=> false
/users:.write: "root.child('invitations').hasChild(newData.child('token').val())"
6:52: hasChild() expects a string argument.
=> false
/users/99:<no rules>
how should I do this?
You've almost got it perfect. The only flaw here is that you're trying to write to users/99, but you've put the rule on users/.
Presumably, you meant this:
"users": {
"$user_id": {
// allow to write if in the invitations there is child equal to token from newData()
".write":"root.child('invitations').hasChild(newData.child('token').val())",
}
},