My database rules is as below which only lets authorized users to read/write their own data. However, I want everyone to read all database without any authorization. How can I do it?
{
"rules": {
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
It is not 100% clear what you mean by "I want everyone to read all database without any authorization".
If you mean that anyone should be able to read the posts (even users without an account, i.e. unauthenticated users) you would adapt your rules as follows:
{
"rules": {
"posts": {
"$uid": {
".read": true,
".write": "$uid === auth.uid"
}
}
}
}
If you mean that only authenticated users should be able to read the posts of all the other users (in others words, authenticated users shall get the authorization to read all posts), you would adapt your rules as follows:
{
"rules": {
"posts": {
"$uid": {
".read": auth != null,
".write": "$uid === auth.uid"
}
}
}
}
See the doc for more details.
Related
I have a token stored in my /users/UID object, and I want to check if the token provided in the request matches it. How can I do this?
At the moment, I have this:
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid",
"files": {
".write": "newData.child(\"token\").val() === \"ZnYKcbTIaN466iQ\"", //
".read": "$uid === auth.uid"
},
}
},
}
}
The code above returns true, but the token changes periodically. Can I, somehow, access this information in my database?
I got it! To check was quite simple, you just need to use the data object
".write": "newData.child(\"token\").val() === data.child(\"token\").val()"
I am trying to figure out Firebase Rules that will allow my users to only see their data in their App.
Currently this is my Realtime Database File:
and this is my Firebase Set Rules:
{
"rules": {
"users": {
"$uid": {
".read": "auth.uid === $uid"
}
},
"jobs": {
"$uid": {
".read": "auth.uid === $uid"
}
}
}
}
How do i change the rules to be able to let users see their data that is relevant to their userid?
It looks like you're using the user's UID as the key for their data in both jobs and users. In that case, you can ensure that each user can only read their own job and profile with:
{
"rules": {
"users": {
"$uid": {
".read": "auth.uid === $uid"
}
},
"jobs": {
"$uid": {
".read": "auth.uid === $uid"
}
}
}
}
Note that this is almost a literal copy of the sample in the Firebase documentation on securing user data.
I have two mega parent nodes, but I am currently unable to write to the second one.
-users
uid
some other info
uid
-secondParent
child
uid
child
uid
I would like the user to be able to write to his own child of secondParent. Read and write permissions are working correctly for the users parent node, but I can't get it working for the secondParent.
The rule I have currently is:
{
"rules": {
"users": {
"$uid": {
".read": "auth != null",
".write": "$uid === auth.uid",
}
},
"parentdNode": {
"$childID":{
".read" : "auth != null",
"$uid":{
".write": "$uid === auth.uid",
}
}
}
}
}
Simulation failure below:
You have to write rules for each parents to enable permission
{
"rules": {
"users": {
"$uid": {
".read": "auth != null",
".write": "$uid === auth.uid",
}
},
"parentdNode": {
"$childID":{
"$uid":{
".read" : "auth != null",
".write": "$uid === auth.uid",
}
}
}
}
}
According to the screenshot, you are trying to write {"uid":"X","property":"Y"} to /parentNode/someNode. The rules give permission to write {"property":"Y"} to /parentNode/someNode/65ef..aa62.
JSON trees come with key/value pairs. There is no key uid in the scheme you presented, there is a $uid which is replaced by the a value from the path you are accessing.
It may still be a bit confusing, but I hope this points to clarifying ideas.
I'm trying to set users to get only own objects. I have a tasks which have 3 attributes on fb-database: task-text, datetime, user. user have user uid. I want to write a rule that allow user to read only own tasks.
So far I have this and it dont work:
{
"rules": {
"tasks": {
".read": "auth.uid == data.child('user').val()",
".write": "auth.uid != null",
}
}
}
You'll want to break up the tasks by user, so you'll have a structure that looks like:
root
tasks
Puf
...
Andrew
...
James
...
This can be secured via rules that look like:
{
"rules": {
"tasks": {
"$userId": {
".read": "auth.uid == $userId",
".write": "auth.uid == $userId",
}
}
}
}
Firebase - In security rules how do I restrict a user to only update an object that they originally created.
So they cannot update another persons object?
Current security rules:
{
"rules": {
"organisations": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
This prevents the user doing anything.
This is the firebase organisations table:
You can check on the auth.uid variable and the newData variable.
{
"rules": {
"organisations": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid",
".validate": "newData.hasChildren(['uid'])
}
}
}
}
This means that your data must have a uid property.
Check out the Firebase Security Guide for more information.
Also, you may want to check out the Bolt compiler.