I am new to coding
The database contains the following cats
url
https://"bucket_name".firebaseio.com/Users/ID/"$uid"
{
"Age" : "\"2000,0,0\"",
"Points today" : "110",
"Questions" : {
"All questions" : {
},
"Default questions" : {
}
},
"Ready to challenge" : "\"yes\"",
"Spirit" : "5",
"account status" : "\"active\"",
"country" : "\"AE\"",
"email" : "\"email\"",
"language" : "\"ar\"",
"name" : "\"name\"",
"password " : "\"siwasiwa\"",
"phone number" : "\"\"",
"points" : "120",
"profile picture" : "\"55\"",
"timezone" : "\"123"",
"user name" : "\"\""
I activated google authentication in the project as follows firebase rules look
{
"rules": {
"bucket_name":{
"Users":{
"ID" :{
"$uid": {
"Age": {
".read": true,
".write": "auth.uid == $uid"
},
"Points today": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"Questions": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"Spirit": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"Ready to challenge": {
".read": "auth != null",
".write": "auth != null"
},
"account status": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"country": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"email": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"language": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"name": {
".read": true,
".write": "auth.uid == $uid"
},
"password": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
},
"phone number": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"points": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"profile picture": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"timezone": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"user name": {
".read": "auth != null",
".write": "auth.uid == $uid"
}
}
}
},
}
}
}
The result every time I do the simulation read and write is rejected
Also, he tried more than one way, but to no avail
It looks like you're trying to use Realtime database security rules to protect a storage bucket. That's not possible. Cloud Storage has a completely different set of rules to use. These are described in the documentation.
Related
I keep getting emails saying my database is not secure after implementing my security rules. The emails specify that any authenticated user can read/write to my database but I implemented specific access rules:
{
"rules": {
"posts": {
".read": "auth.uid !== null",
".write": "auth.uid !== null && newData.hasChildren(['score', 'quote',
'description', 'source', 'sourceType', 'ownerID', 'ownerImageURl', 'ownerUsername', 'timestamp', 'usersVoted'])",
".indexOn":["sourceType", "ownerID"],
"$postID": {
".write": "!data.hasChild('ownerID')",
"score": {
".write": "newData.isNumber() && (newData.val() === data.val() + 1 || newData.val() === data.val() - 1) && !root.child('posts').child('$postID').child('usersVoted').hasChild(auth.uid)"
},
"usersVoted": {
".write": "!data.hasChild(auth.uid)",
"$userID": {
".write": false
}
}
}
},
"users": {
".write":"auth.uid !== null && !data.hasChild(auth.uid)",
"$userID": {
".read": "auth.uid === $userID",
".write": "auth.uid === $userID"
}
},
"comments": {
".read": "auth.uid !== null",
"$postID": {
".write": "auth.uid !== null",
"$commentID": {
".write": false
}
}
}
}
}
Why does Firebase think that any user can read/write to any location in my database?
EDIT: I haven't gotten the email in a while so I think my rules are secure.
For example this rule for users node, is not secure:
"users": {
".write":"auth.uid !== null && !data.hasChild(auth.uid)",
"$userID": {
".read": "auth.uid === $userID",
".write": "auth.uid === $userID"
}
}
Because, this rule allows any authenticated user and non-existing user to write to your users node (not secure):
".write":"auth.uid !== null && !data.hasChild(auth.uid)",
and it overwrites this rule (as if this is meaningless now):
".write": "auth.uid === $userID"
To make it secure, users rule must look like this:
"users": {
"$userID": {
".write":"auth.uid !== null && !data.hasChild(auth.uid) && auth.uid === $userID",
".read": "auth.uid === $userID"
}
}
So fix your rules, and be careful of RULES CASCADING.
appreciate this looks like this is been answered various times for individual requirements. Completely new to Firebase and I want to get some insight into this. I have been presented with the message from Firebase.
We've detected the following issue(s) with your security rules:
any logged-in user can read your entire database
any logged-in user can write to your entire database
My current rules look like this:
{
"rules": {
".read": "auth != null",
".write": "auth != null",
"items": {
".indexOn": "ownerId"
},
"events": {
".indexOn": "ownerId"
},
"contacts": {
".indexOn": "ownerId"
}
}
}
Based on the documentation, Do I simply need to do this?
{
"rules": {
".read": "auth != null && auth.uid == $uid"
".write": "$user_id === auth.uid",
"items": {
".indexOn": "ownerId"
},
"events": {
".indexOn": "ownerId"
},
"contacts": {
".indexOn": "ownerId"
}
}
}
Will users still be able to access their own (previously) written data prior to making the change while enforcing the security rules from Firebase.
Apologies if this a silly question, but got a lot of data which I cannot let users not have access to.
Thanks
As firebase documentation says:
Sometimes, Rules check that a user is logged in, but don't further restrict access based on that authentication. If one of your rules includes auth != null, confirm that you want any logged-in user to have access to the data.
So you have to get rid of this part down under the rules part:
".read": "auth != null",
".write": "auth != null",
And use any of these approaches: Content owner only, Path-delineated access or Mixed public and private access.
For example:
{
"rules": {
"products": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid",
".indexOn": ["creatorId", "isActive"]
}
},
"stores": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid",
".indexOn": ["creatorId", "isActive"]
}
},
"orders": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid",
}
},
}
}
Firebase database question:
I want to "open" "votes" for unauthenticated users. Is this safe ?
Maybe:
{
"rules": {
".read": true,
"posts": {
"title": { ".write": "auth != null && auth.uid == 'XXXXXX'"},
"url": { ".write": "auth != null && auth.uid == 'XXXXXX'"},
"time": { ".write": "auth != null && auth.uid == 'XXXXXX'"},
"vote": {".write": true,}
}
}
}
Or:
{
"rules": {`enter code here`
".read": true,
"posts": {
"title": { ".write": "auth != null && auth.uid == 'XXXXXX'"},
"url": { ".write": "auth != null && auth.uid == 'XXXXXX'"},
"time": { ".write": "auth != null && auth.uid == 'XXXXXX'"},
"vote": {".write": "newData.val() === data.val() + 1"}
}
}
}
I have static nodes like (users-technical-services-orders),
for example (technical) I created (write restrict) to only same technical, except 3 fields be allowed to write for all users which have authenticated.
I can do it like this:
{
"rules": {
//
"phonenumbers":{
".read": true,
".write": "auth !== null"
},
"services":{
".read": true,
".write": "auth !== null"
},
"subservices":{
".read": true,
".write": "auth !== null"
},
"ChargeRecordsProv":{
".read": "auth !== null",
".write": "auth !== null"
},
"ChargeRecordsUsers":{
".read": "auth !== null",
".write": "auth !== null"
},
"ExchangeRecords":{
".read": "auth !== null",
".write": "auth !== null"
},
"directions":{
".read": "auth !== null",
".write": "auth !== null"
},
"orders":{
".read": "auth !== null",
".write": "auth !== null"
},
"setting":{
".read": "auth !== null",
},
"technical":{
".read": "auth !== null",
"$user_id": {
".write": "$user_id === auth.uid"
},
"balancepro": {
".write": "auth !== null"
},
"ratingNumClinets": {
".write": "auth !== null"
},
"ratingDegree": {
".write": "auth !== null"
},
"statusProv": {
".write": true
}
},
"users":{
".read": "auth !== null",
"$user_id": {
".write": "$user_id === auth.uid"
}
}
}
}
This is work good for my static nodes.
the problem is:
I have a dynamic nodes like (Technicians_Carpenter_location) which his name can not be known, because it depended on what the admin can set.
these dynamic nodes will be not allowed to read or write with my previous rules.
if I add a public rules like this:
".read": "auth !== null",
".write": "auth !== null"
It can be read and write but this will effect on all previous rules for static nodes and will not be work.
So, please make a suggestion, what I can do?
I think you're looking for a wildcard rule, which matches all child nodes that are not matched by any other rule. A simple example of such a rule is:
{
"rules": {
"profiles": {
"$profileid": {
".read": true
}
}
}
}
With the above rule, anyone can read a specific profile (for example /profiles/puf), but nobody can read all profiles at once (/profiles).
So in your case, if you want to grant specific permissions to specific named nodes, and a common set of permissions to all other nodes, you'd add a wildcard to your current nodes. Something like this:
{
"rules": {
"phonenumbers":{
".read": true,
".write": "auth !== null"
},
...
"$other": {
".read": "auth !== null",
".write": "auth !== null"
}
}
}
I am writing an app where I have users, and each user has trips.
I have managed to authenticate and insert user's data. Now I want to define rules for the trips list.
Currently I can't get the simulator to work even with the same definitions (getting write/read permissions to users, but failing for trips, see pics):
This is what I have that is failing:
{
"rules": {
"users": {
"$uid": {
".write": "$uid === auth.uid",
".read": "$uid === auth.uid"
},
"trips" : {
"$uid" : {
".write": "$uid === auth.uid",
".read": "$uid === auth.uid"
}
}
}
}
}
What I actually want eventually is:
{
"rules": {
"users": {
"$uid": {
".write": "$uid === auth.uid",
".read": "$uid === auth.uid"
},
"trips" : {
"$tid" : {
".indexOn": ["uid"],
".write": "<only if child field 'uid' is same as auth.uid>",
".read": "auth != null"
}
}
}
}
}
That's because you've nested your "trips" rules under the "users" rules. They should both be under the "rules" node. Like this:
{
"rules": {
"users": {
"$uid": {
".write": "$uid === auth.uid",
".read": "$uid === auth.uid"
}
},
"trips" : {
"$tid" : {
".write": "$tid === auth.uid",
".read": "auth!=null",
".indexOn":"uid"
}
}
}
}