Firebase database question:
I want to "open" "votes" for unauthenticated users. Is this safe ?
Maybe:
{
"rules": {
".read": true,
"posts": {
"title": { ".write": "auth != null && auth.uid == 'XXXXXX'"},
"url": { ".write": "auth != null && auth.uid == 'XXXXXX'"},
"time": { ".write": "auth != null && auth.uid == 'XXXXXX'"},
"vote": {".write": true,}
}
}
}
Or:
{
"rules": {`enter code here`
".read": true,
"posts": {
"title": { ".write": "auth != null && auth.uid == 'XXXXXX'"},
"url": { ".write": "auth != null && auth.uid == 'XXXXXX'"},
"time": { ".write": "auth != null && auth.uid == 'XXXXXX'"},
"vote": {".write": "newData.val() === data.val() + 1"}
}
}
}
Related
I keep getting emails saying my database is not secure after implementing my security rules. The emails specify that any authenticated user can read/write to my database but I implemented specific access rules:
{
"rules": {
"posts": {
".read": "auth.uid !== null",
".write": "auth.uid !== null && newData.hasChildren(['score', 'quote',
'description', 'source', 'sourceType', 'ownerID', 'ownerImageURl', 'ownerUsername', 'timestamp', 'usersVoted'])",
".indexOn":["sourceType", "ownerID"],
"$postID": {
".write": "!data.hasChild('ownerID')",
"score": {
".write": "newData.isNumber() && (newData.val() === data.val() + 1 || newData.val() === data.val() - 1) && !root.child('posts').child('$postID').child('usersVoted').hasChild(auth.uid)"
},
"usersVoted": {
".write": "!data.hasChild(auth.uid)",
"$userID": {
".write": false
}
}
}
},
"users": {
".write":"auth.uid !== null && !data.hasChild(auth.uid)",
"$userID": {
".read": "auth.uid === $userID",
".write": "auth.uid === $userID"
}
},
"comments": {
".read": "auth.uid !== null",
"$postID": {
".write": "auth.uid !== null",
"$commentID": {
".write": false
}
}
}
}
}
Why does Firebase think that any user can read/write to any location in my database?
EDIT: I haven't gotten the email in a while so I think my rules are secure.
For example this rule for users node, is not secure:
"users": {
".write":"auth.uid !== null && !data.hasChild(auth.uid)",
"$userID": {
".read": "auth.uid === $userID",
".write": "auth.uid === $userID"
}
}
Because, this rule allows any authenticated user and non-existing user to write to your users node (not secure):
".write":"auth.uid !== null && !data.hasChild(auth.uid)",
and it overwrites this rule (as if this is meaningless now):
".write": "auth.uid === $userID"
To make it secure, users rule must look like this:
"users": {
"$userID": {
".write":"auth.uid !== null && !data.hasChild(auth.uid) && auth.uid === $userID",
".read": "auth.uid === $userID"
}
}
So fix your rules, and be careful of RULES CASCADING.
I am new to coding
The database contains the following cats
url
https://"bucket_name".firebaseio.com/Users/ID/"$uid"
{
"Age" : "\"2000,0,0\"",
"Points today" : "110",
"Questions" : {
"All questions" : {
},
"Default questions" : {
}
},
"Ready to challenge" : "\"yes\"",
"Spirit" : "5",
"account status" : "\"active\"",
"country" : "\"AE\"",
"email" : "\"email\"",
"language" : "\"ar\"",
"name" : "\"name\"",
"password " : "\"siwasiwa\"",
"phone number" : "\"\"",
"points" : "120",
"profile picture" : "\"55\"",
"timezone" : "\"123"",
"user name" : "\"\""
I activated google authentication in the project as follows firebase rules look
{
"rules": {
"bucket_name":{
"Users":{
"ID" :{
"$uid": {
"Age": {
".read": true,
".write": "auth.uid == $uid"
},
"Points today": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"Questions": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"Spirit": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"Ready to challenge": {
".read": "auth != null",
".write": "auth != null"
},
"account status": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"country": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"email": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"language": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"name": {
".read": true,
".write": "auth.uid == $uid"
},
"password": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
},
"phone number": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"points": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"profile picture": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"timezone": {
".read": "auth != null",
".write": "auth.uid == $uid"
},
"user name": {
".read": "auth != null",
".write": "auth.uid == $uid"
}
}
}
},
}
}
}
The result every time I do the simulation read and write is rejected
Also, he tried more than one way, but to no avail
It looks like you're trying to use Realtime database security rules to protect a storage bucket. That's not possible. Cloud Storage has a completely different set of rules to use. These are described in the documentation.
This question already has an answer here:
How to implement a role based access control with AngularFire
(1 answer)
Closed 4 years ago.
This is my firebase rules
{
"rules": {
".read": "auth != null",
".write": "root.child('users/auth.id/user_type').val() == 'admin'"
}
}
My users node. (Data is faked)
{
"users" : {
"2anxMpsdsxsd5K2" : {
"user_email" : "dsds#gmail.com",
"user_name" : "dsd",
"user_photo_url" : "somepic.jpg",
"user_roles" : {
"writer" : true
}
},
"z8uzffddelsSl1" : {
"user_email" : "xcxc#gmail.com",
"user_name" : "xcxc",
"user_photo_url" : "fb-picture",
"user_type" : "admin"
}
}
}
I tried with user roles but was still denied from writing. Would my rules be the one that's faulty?
This is what I came up with.
{
"rules": {
"users": {
".read": "auth != null",
"$user_id": {
".write": "auth.uid == $user_id || root.child('users').child(auth.uid).child('user_type').val() == 'admin'"
}
},
// "news": {
// "$news_id": {
// ".read": "auth != null",
// ".write": "auth.uid == root.child('news').child($news_id).child('news_author_id').val() || root.child('users').child(auth.uid).child('user_type').val() == 'news_contributor' || root.child('users').child(auth.uid).child('user_type').val() == 'admin' "
// }
// },
"programs": {
".read": "auth != null",
"courses": {
"$course_id": {
".write": "auth.uid == root.child('programs').child('courses').child($course_id).child('program_author_id').val() || root.child('users').child(auth.uid).child('user_type').val() == 'admin'"
}
},
"tracks": {
".read": "auth != null",
"$track_id": {
".write": "auth.uid == root.child('programs').child('tracks').child($track_id).child('program_author_id').val() || root.child('users').child(auth.uid).child('user_type').val() == 'program_contributor' || root.child('users').child(auth.uid).child('user_type').val() == 'admin'"
}
}
},
"news": {
".read": "auth != null",
"$news_id": {
".write": "root.child('users').child(auth.uid).child('user_type').val() == 'news_contributor' || auth.uid == root.child('news').child($news_id).child('news_author_id').val() == auth.uid || root.child('users').child(auth.uid).child('user_type').val() == 'admin'"
}
}
}
}
One problem though.
this error pops up
error TS7027: Unreachable code detected.
I've been a while working with firebase and I love it but today I'm working on security rules and I'm getting an error with simulator, my code looks as below:
{
"rules": {
"users":{
"$uid":{
".read": "auth.uid != null",
".write": "auth.uid != null",
".validate":"newData.child('profile').child('userName').isString()&& newData.val().length < 15"
}
}
}
}
The error appear just when i add the lenght validation. When I do:
{
"rules": {
"users":{
"$uid":{
".read": "auth.uid != null",
".write": "auth.uid != null",
".validate":"newData.child('profile').child('userName').isString()"
}
}
}
}
Works fine, any idea why this is happening, I have readed the documentation on: https://firebase.google.com/docs/database/security/securing-data and many other examples and I just can't find the error. Thank you su much in advice and happy coding.
You can add validation like this to your field as per this example.
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid",
".read" : "$user_id === auth.uid",
"familyName" : ".validate": "newData.isString() && newData.val().length > 1 && newData.val().length < 100",
"givenName" : ".validate": "newData.isString() && newData.val().length > 1 && newData.val().length < 100",
"age" : ".validate": "newData.isNumber() && newData.val() > 13 && newData.val() < 110",
"email": {
// an email is only allowed in the profile if it matches
// the auth token's email account (for Google or password auth)
".validate": "newData.val() === auth.email"
}
}
}
}
}
Ok I have solved the correct syntax:
{
"rules": {
"users":{
"$uid":{
".read": "auth.uid != null",
".write": "auth.uid != null",
".validate":"newData.child('profile').child('userName').isString()&& newData.val().length < 15"
}
}
}
}
{
"rules": {
"interviews": {
".read": true,
".write": "auth != null && root.child('admins').child(auth.uid).exists()",
"thumbnail" :{
".validate" : "newData.val() != 0 || (newData.val() == 0 && data.val() == 'uploading')"
},
"soundbyte" :{
".validate" : "newData.val() != 0 || (newData.val() == 0 && data.val() == 'uploading')"
}
},
"token": {
".read": false,
".write": "auth != null && auth.isAdmin == true"
},
"admins":{
".read" : false,
".write": "auth != null && auth.isAdmin == true"
}
}
}
Can you tell any problem with my security rules, as I am trying to add a validation to my thumbnail's data.
Here is a little data structure example I am gonna use with it.
interviews
-K_l_pkOTUYovqRwajln
detail: "YO"
soundbyte: "interview_sb_KlpkOTUYovqRwajln.mp3"
thumbnail: "uploading"
title: "Episode Five"
video_url: ""
-K_ll31srQ46vgtDXX1n
detail: "Duncan lives in a town."
soundbyte: "interview_sb_KllsrQvgtDXXn.mp3"
thumbnail: "interview_thumb_KllsrQvgtDXXn.jpg"
title: "Duncan"
video_url: ""