how to allow non authenticated user to update only highlighted child and only read other child
current roles is
{
"rules": {
".read": true,
".write":"auth != null"
}
}
I have got the answer
{
"rules": {
".read": true,
".write":"auth != null",
"$product": {
"$id": {
"showen":
{
".write": true
}
}
}
}
}
Related
I'm having some issues wrapping my head around the database rules and the documentation isn't helping. I am trying to set things up so that only the user can delete their own items, however at the moment I'm getting permission_denied errors. I am assuming that it is because I don't have a read/write rule on the 'items' level. However I feel that if I just added a 'auth != null' rule it would give to much permission. Any thoughts?
the database setup:
users:
{
user_1 {
items:
{
item_1: true,
item_2: true,
}
},
user_2 {...},
etc {...},
},
items:
{
item_1
{
user: "user_1"
....
},
item_2
{
user: "user_1"
....
},
}
The database rules look like
{
"rules": {
"users": {
"$uid":{
".read": "auth != null && auth.uid==$uid",
".write": "auth != null && auth.uid==$uid"
}
},
"items": {
"$itemID": {
".read": "root.child('Users/'+auth.uid+'/'+$itemID).exists()",
".write": "root.child('Users/'+auth.uid+'/'+$itemID).exists()"
}
}
}
}
At the moment any user can delete any item.
To ensure that only the owner can delete the item, you need to not just verify that:
"items": {
"$itemID": {
".read": "auth.uid == data.child('user').val()",
".write": "auth.uid == data.child('user').val()"
}
}
There is no need to check if they exist in the /users node as far as I can tell, although you can easily add that back if needed.
But if a user can only read/write their own items, I'd model the data differently:
"items": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
"$itemID": {
}
}
}
This is much simpler to model and will give you much better scalability, since the database only ever has to consider the data for one user.
I want to create a firebase rule that allows users to read and write to child if a property of that child has a specific value. Let's say my database looks something like this:
"tasks": {
"SDkh7s62jnd23d9": {
"uid": "someuserid",
"other": "datagoes here"
}
}
Here is my current security rule:
"tasks": {
".indexOn": "_state",
"$registerQueueKey": {
".read": "data.child('uid').val() == auth.uid",
".write": "newData.child('uid').val() == auth.uid"
}
}
This rule restricts user write permissions, but it never lets a user read, even if the child they are attempting to read has a uid property that equals auth.id.
I then tested the following rule set:
"tasks": {
".indexOn": "_state",
"$registerQueueKey": {
".read": true,
".write": "newData.child('uid').val() == auth.uid"
}
}
Despite the .read permission being set to a permanent true value, the user still cannot read the $registerQueueKey child.
I then tested the following rule set:
"tasks": {
".indexOn": "_state",
".read": true,
"$registerQueueKey": {
".write": "newData.child('uid').val() == auth.uid"
}
}
Now I can read the child fine, so I attempted this final security rule:
"tasks": {
".indexOn": "_state",
".read": "data.child($registerQueueKey").child('uid').val() == auth.uid",
"$registerQueueKey": {
".write": "newData.child('uid').val() == auth.uid"
}
}
But this rule throws an error because the variable $registerQueueKey is undefined in the scope it is being used.
How do I accomplish a rule like this?
I think the error is because you have not placed a wildcard:
"tasks": {
"$uid": {
".indexOn": "_state",
".read": "data.child($registerQueueKey").child('$uid').val() == auth.uid",
"$registerQueueKey": {
".write": "newData.child('$uid').val() == auth.uid"
}
}
}
Hey so I have this Firebase layout where I have files and every file can have children and all the children can have children, etc. How would I set up my security rules to dynamically work for the children (32 max if I'm remembering it correctly?). It kind of has to work with different read/write permissions depending on the user etc.
This is how it would work in a perfect world:
{
"rules": {
"users": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid",
"files": {
"$file": {
// permissions ...
"children": {
"$file": {
// permissions ...
"children": {
// etc ...
}
}
}
}
}
}
}
}
}
My firebase data looks like this-
My security rules are-
{
"rules": {
"users": {
"fred": {
".read": true,
".write": true
},
"wilma": {
".read": "auth.id == '1'",
".write":true
},
"$other": {
"name": {
".read": true,
".write": true
}
}
}
}
}
First click on Authenticate button.
Path you should enter is /users/wilma
I have this set of rules:
{
"rules": {
"facebook_users": {
"$user": {
".read": "$user == auth.id",
".write": "$user == auth.id",
"userData": {
"maxProjects": {
".validate": false
},
"userProjects": {
".validate": ???
}
}
}
}
}
}
I'd like to let an user not being able to add a children to the userProjects array if userProjects.length > userData.maxProjects. The user is denied writing in the maxProjects already, due to the ".validate": false rule. How can I compare userProjects' length with maxProjects?
If it's not possible, what is a correct way to do this?
You can use the root special variable along with child() to do this comparison:
{
"rules": {
"facebook_users": {
"$user": {
".read": "$user == auth.id",
".write": "$user == auth.id",
"userData": {
"maxProjects": {
".validate": false
},
"userProjects": {
".validate": "data.val().length < root.child('facebook_users').child($user).child('userData/maxProjects').val()"
}
}
}
}
}
}
Have you read this?
parent()
Gets a RuleDataSnapshot for the parent location.
Return Value: RuleDataSnapshot - The RuleDataSnapshot for the parent location.