I relatively new to firebase real-time database. I am trying to make userPosts publicly available and the user who created the post should be able to edit and view their own posts. I am struggling to make the post public and only the user who owns the post should edit it. Bellow, is the firebase database rules. When I try to simulate it to edit userPosts, it gets denied. Don't know why it happens.
Sorry for my bad English. Let me know if I need to provide more information.
{
"rules": {
"users": {
"$userId": {
"profile" :{
".read": "$userId == auth.uid",
".write": "$userId == auth.uid",
}
}
},
"userPosts":{
".read": "auth != null",
"$userId": {
//".write": "auth != null",
".write": "auth != null && auth.uid == $userId",
}
},
}
}
this is the image of firebase simulate image
Firebase simulate details
In your simulator, your UID is d62cf9b9-265b..., but your edit is at userPosts/userId literally.
Your edit should be at userPosts/d62cf9b9-265b....
Related
I'm trying to create a rule for create/access the FRD data based on authenticated user. But am getting an error where running the Rules Playground
What I want is, Users are creating the categories. So Users is able to only read their categories and update those categories.
Rule:
{
"rules": {
"users": {
"$uid": {
".write": "auth != null && $uid === auth.uid",
".read": "auth != null && $uid === auth.uid"
}
},
"categories": {
"$uid": {
".write": "auth != null && $uid === auth.uid",
".read": "auth != null && $uid === auth.uid"
}
}
}
}
Auth Users:
Realtime Database
Categories
Users
Categories Write function in Flutter
String uId = await userId();
final databaseRef = FirebaseDatabase.instance.ref('categories');
var data = await databaseRef.get();
var index = data.children.length;
await databaseRef.child('$index').set(<String, dynamic>{
"name": categoryBody.name,
"description": categoryBody.description,
"uid": uId,
"id": index,
});
Error
Is there anything wrong with the rules that am applying?
I tried to replicate your issue, but I can able to successfully test rules without errors.
The rules you are using are for authenticated users but you are testing for unauthenticated users. Means you have not enabled Authenticated field.
And you have to enter /categories/uid instead of /categories under the location and you should enter uid under Firebase UID field. You may have look at below screenshot.
You can refer this tutorial for more information.
When you're using the following security rules:
"categories": {
"$uid": {
".write": "auth != null && $uid === auth.uid",
".read": "auth != null && $uid === auth.uid"
}
}
It means that you allow the user to write/read to/from every child that exists under your categories/$uid node. So when you try to apply those rules to your actual database structure, it's the expected behavior to see that Firebase servers reject the operations since it doesn't find any $uid level in your database schema. To solve this, you have to remove that extra $uid level from rules like this:
"categories": {
".write": "auth != null",
".read": "auth != null"
}
And this is because those category objects exist directly under the categories node and not under categories/$uid.
I have a mobile application which reads the data from the firebase server without firebase login/authentication (posts and news) and I want to create an admin webpage where I can log in and add, or modify news, so I need a write permission there. My rules are currently:
{
"rules": {
".read": true,
".write": "auth !== null && ?????
}
}
Can I write something like "user.emailAddress == 'mail#example.com'"?
You can create a users table on database like
{
"users":{
"your UID":{
"isAdmin": true
}
}
}
Then edit rules :
{
"rules": {
".read": true,
".write": "auth.uid != null && root.child("users").child(auth.uid).isAdmin === true"
}
}
You might want to start by reading the documentation about securing user data. There is a lot to know here.
One possibility is using the known user's uid to restrict access. The auth.uid variable contains the uid.
".write": "auth.uid == 'the-known-uid'"
Also you can use auth.token to access some other things about the user, including email address (which may not be present):
".write": "auth.token.email == 'the#email.address'"
You can also use custom authentication tokens, which also is covered in the documentation.
Create database:
{
"users":{
"your UID":{
"isAdmin": true
}
}
}
Set rules:
Wrong:
{
"rules": {
".read": true,
".write": "auth.uid != null && root.child("users").child(auth.uid).isAdmin === true"
}
}
Right:
{
"rules": {
".read": true,
".write": "auth.uid != null && root.child('users').child(auth.uid).child('isAdmin').val() === true"
}
}
I'm new to using Firebase (I'm using react-redux-firebase, but not sure if that's relevant to this question). I'm having an issue using these standard auth rules:
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
This is user UID as shown in the Firebase Authentication dashboard:
But if I print out the data associated with the profile/account, I get this UID:
Because of this mismatch, the logged in user is unable to read or write to the firebase instance.
Why is there a mismatch in UIDs? How can I solve this issue?
UPDATE:
It looks like the 1091103… UID is provider-specific and not relevant in this case? Can't confirm that for sure.
This may be the actual auth UID (I'm new to this, so still trying to figure out what's what):
In this case, this UID matches what is seen in the Firebase console. If they match, then what would be the cause of the permission denied errors?
ANOTHER UPDATE:
Here's the user node. You can see the UID as the key:
This is the rule you can do right now
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
if you want to check like below
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
you need to store the users to realtime database while register. with their auth.uid as key.
I'm building a new application using firebase authentication and realtime database. I understand how to secure a location in the database so that only a specific authenticated user can write to it, as per the documentation:
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid"
}
}
}
}
I want to secure a location for one or more users. I'm not sure whether that is possible and if so, how would I structure the data. The data is a list of shopping items that one or more users can update, while all other users can view the shopping items. All users are authenticated, but one or more of them is designated as the shopper, so they are allowed to add and remove items.
Thanks
Craig
Just in case someone stumbles across this, a member of the firebase forum was able to answer the question and I ended up with the following database rules:
{
"rules": {
"users": {
".read": "auth !== null",
"$udser_id": {
".write": "$user_id === aith.uid"
}
},
"shops": {
"$shopID": {
"items": {
".read": "auth != null",
".write": "data.parent().child('shoppers').child(auth.uid).exists()"
},
"shoppers": {
".read": "auth != null",
".write": "root.child('users').child(auth.uid).child('scheduler').val() == true || data.child(auth.uid).exists()"
},
"boxes": {
".read": "auth != null",
".write": "auth != null"
}
}
}
}
}
This was based on an article here: https://firebase.googleblog.com/2016/10/group-security-in-firebase-database.html
My app allows anyone to write a new message (the message cannot be updated or deleted), which should then only be visible to authenticated users. The authenticated users can edit the data (which will include things like flag as important, etc.). Think of the app like a private suggestion box (anyone can submit a suggestion but only the admins can view the submitted suggestions). I'm using the Firebase simulator and the following fails but it shouldn't:
Firebase Simulator
Write
Location: messages/
Authenticated: false
Data (JSON)
{
"key": "value"
}
Firebase Database Rules
{
"rules": {
"messages": {
"$message": {
".read": "auth !== null",
".write": "!data.exists() || auth !== null",
},
},
"users": {
".read": "auth !== null",
".write": "auth !== null"
}
}
}
I think that's because you're testing with messages/ whereas only writes to messages/{message-id} would be allowed. Try writing to messages/somethingrandom.