l want make only user able to create new post, and only user able to modify only the post that were created by them. Like delete or edit !
database structure
{
"post" : {
"-LWzHsKzAyK9Wfa1kbD_" : {
"name" : "test",
"title" : "test",
"userId" : "8D3sENaBcLaXoGNnh1MPuoyj5LP2"
},
"-LWzHx6u-gQ7XoVR714a" : {
"name" : "check",
"title" : "check",
"userId" : "WUM2HBkGo8TFDeOjEqO1s3lCj1p1"
}
}
}
l used this rules but l got error when to save No such method/property 'userId'.
{
"rules": {
".read": false,
".write": false,
"report": {
".read": "auth != null",
".write": "auth != null && ( (data.exists() && data.userId === auth.uid) || !data.exists() || !newData.exists() )"
}
}
}
You can't just use property accessor notation to get a child value of the data. You must call the child() function to get the child, and the val() function to get its value.
So:
data.child('userId').val() === auth.uid
Related
I am on the blaze plan and building a chat functionality in my app using Firebase realtime database.
I have 3 databases for now :
Main instance that contains sharding information and users chats' info.
The 2 other instances will contain the chats and messages.
The database structure for the main instance looks like this :
{
"shards" : {
"shard1" : {
"full" : false,
"name" : "shard1",
"num" : 1,
"url" : "shard1Url"
},
"shard2" : {
"full" : false,
"name" : "shard2",
"num" : 0,
"url" : "shard2Url"
}
}
}
And here is the data structure of one of the shard :
{
"users" : {
"user_id_1" : {
"chat_id_1" : true
},
"user_id_2" : {
"chat_id_1" : true
}
},
"chats" : {
"chat_id_1" : {
"created" : true,
"createdAt" : 1645888918717,
"members" : {
"user_id_1" : true,
"user_id_2" : true
},
"name" : "",
"uid" : "chat_id_1",
"updatedAt" : 1645895862214
}
},
"messages" : {
"chat_id_1" : {
"mess_id_1" : {
"content" : "Hello",
"chatID" : "chat_id_1",
"createdAt" : 1645895862214,
"senderID" : "user_id_1",
"uid" : "mess_id_1"
},
"mess_id_2" : {
"content" : "Bye",
"chatID" : "chat_id_1",
"createdAt" : 1645889441313,
"senderID" : "user_id_2",
"uid" : "mess_id_2"
}
}
}
}
I want the following rules to apply :
Reads :
A user can listen for changes under /users/$user_id/ where $user_id is auth.uid
A user can get all the chats from the above IDs when he is in the member map (under /chats/$chat_id)
A user can read all the messages from a chat when he is a member (under /messages/$chat_id)
Writes :
A user can create a chat if there is no data under the chat_id node
A user can update a chat if he is a member under the chat_id
A user can create a message if a chat_id exists and if he is a member under the chat_id and if the senderID matches the auth.uid
A user can delete a message if he is the sender of the message (not sure i can do this with security rules but only client side)
A user can add only an item like {"$chat_id": true} under any other user under /users/$user_id/
So far, here are my rules that are not working :
-> Main shard :
{
"rules": {
"shards": {
".read": "auth.uid != null",
".indexOn": ["full"],
"$shardName": {
"num": {
".write": "auth.uid != null"
},
"$other": {
".write": false
}
}
},
}
}
-> For other shards :
{
"rules": {
"users": {
"$userID": {
".write": "auth.uid != null && !data.exists()",
".read": "auth.uid == $userID",
}
},
"chats": {
"$chat_id": {
".read": "data.child('members/'+auth.uid).exists()",
".write": "(!data.exists() && newData.hasChild('members')) || data.child('members/'+auth.uid).exists()",
}
},
"messages": {
"$chat_id": {
".read": "root.child('chats').child($chat_id).child('members').child(auth.uid).exists()",
".indexOn": ["createdAt"],
"$mess_id": {
".write": "(!data.exists() && newData.child('senderID').val() == auth.uid) || (data.exists() && data.child('senderID').val() == auth.uid)"
}
}
}
}
}
EDIT :
I have made many edit regarding the database structure.
I especially need help with reads rather than writes, as writes seem to be working fine now but i would like confirmation and / or changes if you see mistakes.
I want to share secure data between users.
"shared_requests" : {
"shared_uid" : {
"deviceSeriNo" : "device1serino",
"user1" : {
"email" : "john#john.com",
"userName" : "John"
},
"user2" : {
"email" : "micheal#micheal.com",
"userName" : "Micheal"
}
}
}
Rules: (Edited, I forgot to write a small part. (auth.uid.email.replace('#','').replace('.','')))
"shared_requests": {
"$key": {
".read": "root.child('shared_requests').child($key).child('user1/email').val() == auth.uid.email.replace('#','_').replace('.','_') || root.child('shared_requests').child($key).child('user2/email').val() == auth.uid.email.replace('#','_').replace('.','_')",
".write": "root.child('shared_requests').child($key).child('user1/email').val() == auth.uid.email.replace('#','_').replace('.','_') || root.child('shared_requests').child($key).child('user2/email').val() == auth.uid.email.replace('#','_').replace('.','_')"
}
}
But not working. How can I solve this problem?
Edit:
It works when I try with the UID.
"shared_req4": {
"shared_uid": {
"$key": {
".read": "auth != null && auth.uid === $key",
".write": "auth != null && auth.uid === $key"
}
}
}
Data:
Simulator:
Simulation results:
But it doesn't work when I try it by email.
"shared_req3": {
"shared_uid": {
"$key": {
".read": "auth != null && auth.uid.email.replace('#','_').replace('.','_') === $key",
".write": "auth != null && auth.uid === $key"
}
}
}
Data:
Simulator:
Simulation results:
Problem is solved.
It doesn't work on the simulator so try on the code. And it needs to be 'auth.token.email' instead of 'auth.uid.email'.
#FrankvanPuffelen Thank you so much.
My app's content is generated by the user. I want each user to access and edit his own data (the nodes he creates). So the user creates a "clips" node and a "clipOwners" node if the nodes are empty and he should also be able also to update any of these nodes and child nodes if he is the owner. Another user shouldn't be able to create a new node if the node pushKey (i.e. "$11111111") is already taken.
Here is my database structure:
clips {
variable Key >>> "111111111111" : {
"MACaddress" : "111111111111",
"comments" : "",
"created" : "Mon Apr 16 2018 12:40:13 GMT+0100 (BST)",
"inRoom" : "-LADDm48Uqabm1bcQGOw",
"ins" : {
"1523878813443" : true
},
"name" : "1",
"outs" : {
"1523878813443" : true
},
"ownerID" : "QpMHsVHHRrMvk92rbSQvcYEv4en1"
},
"222222222222" : {
"MACaddress" : "222222222222",
"comments" : "",
"created" : "Mon Apr 16 2018 12:40:13 GMT+0100 (BST)",
"inRoom" : "-LADDm48Uqabm1bcQGOw",
"ins" : {
"1523878813443" : true
},
"name" : "1",
"outs" : {
"1523878813443" : true
},
"ownerID" : "QpMHsVHHRrMvk92rbSQvcYEv4en1"
}
},
"clipOwners" : {
"111111111111": "QpMHsVHHRrMvk92rbSQvcYEv4en1"
"222222222222": "QpMHsVHHRrMvk92rbSQvcYEv4en1",
}
I am trying this but the "ownerID" child node keeps on being updated by another user if another user tries to write to the same $MACaddress:
"clips": {
".read": "true",
".write": "!data.exists() || newData.exists()",
"$MACaddress":{
"ownerID": {
".validate": "!data.exists() || newData.val() === root.child('clipOwner').child($MACaddress).val()",
}
}
},
"clipOwners": {
".read": true,
".write": "newData.exists()",
"$MACaddress": {
},
Why is it behaving like that?
Any ideas on how I can lock this thing?
In your current write rules you only check if data (not) exists. In this answer i will only focus on the write rules to make sure you can't have duplicate keys (see clipOwners rules) and you can only write to your own data (see clips rules):
"clipOwners": {
".read": true,
"$MACaddress": {
//Only create or delete are possible and value is the user uid
".write": "(!data.exists() || !newData.exists()) && (newData.val() == auth.uid || data.val() == auth.uid)"
}
},
"clips": {
".read": "true",
"$MACaddress":{
//The $MACaddress has to exist in the clipOwners node and its value has to be the user uid
".write": "root.child('clipOwners/'+$MACaddress).exists() && root.child('clipOwners/'+$MACaddress).val() == auth.uid"
}
}
When writing you first have to write the $MACaddress in the clipOwners node because this will be used to check if the user can write to the clips node.
You can take a look at these docs for a simular case.
What does $uid mean in the code ?
is $uid a column name or key name?
{
"rules": {
"users": {
"$uid": {
".write": "$uid === auth.uid"
}
}
}
}
as in document
A wildcard path used to represent ids and dynamic child keys.
more detail , let say you have this data
{
users : {
"SOME_KEY_1" : {"name" : 'test 1' , "private" : {...}} ,
"SOME_KEY_2" : {"name" : 'test 2' , "private" : {...}} ,
"SOME_KEY_3" : {"name" : 'test 3' , "private" : {...}} ,
}
}
and these rule
{
"rules" : {
"users" : {
"$uid" : {
"private" : "auth != null && auth.uid === $uid"
}
}
}
}
you cannot know the keys of users node but you need to prevent other users to private node except their own so you put $uid to represent dynamic child keys
in your case you just allowing user to write to their own data
I have my data like, a teacher and few students with payment options.
I want to structure below data.
Authenticated teacher with read/write access to students profiles.
r/w access to Authenticated student profile.
invoice readable by student however, write access to teacher.
looking for inputs/help in structuring the above dB with security rules in firebase.
Update
Use below sample DB to test against Bradley answer.
{
"invoices" : {
"stid1" : {
"studentID" : "9EtsXHveIyaEkkLLk5hpo6vCtVx1"
}
},
"students" : {
"3d2HnQUxAbgaOqWBEqfDuhkhkj63" : {
"name" : "s2"
},
"9EtsXHveIyaEkkLLk5hpo6vCtVx1" : {
"name" : "s1"
}
},
"teachers" : {
"aiBunX1rZceD2lRslEmCrFHS2XF3" : {
"name" : "s1"
}
}
}
The following database rules:
{
"rules": {
// teachers profiles stored under this node
// teachers can read and write under their own node
"teachers": {
"$teacherID": {
".read": "auth != null && auth.uid == $teacherID",
".write": "auth != null && auth.uid == $teacherID"
}
},
// teachers can r/w student profiles, and the students can also r/w their own profile
"students": {
"$studentID": {
".read": "auth != null && (root.child('teachers').child(auth.uid).exists() || auth.uid == $studentID)",
".write": "auth != null && (root.child('teachers').child(auth.uid).exists() || auth.uid == $studentID)"
}
},
"invoices": {
"$invoiceID": {
// assuming each invoice has the student ID located at /$invoiceID/studentID
// students can read, teachers can r/w
".read" : "auth != null && (root.child('invoices').child($invoiceID).child('studentID').val() == auth.uid || root.child('teachers').child(auth.uid).exists())",
".write": "auth != null && root.child('teachers').child(auth.uid).exists()"
}
}
}
}
Works on the following database:
{
"teachers" : {
"aiBunX1rZceD2lRslEmCrFHS2XF3" : {
"name" : "s1"
}
},
"students" : {
"3d2HnQUxAbgaOqWBEqfDuhkhkj63" : {
"name" : "s2"
},
"9EtsXHveIyaEkkLLk5hpo6vCtVx1" : {
"name" : "s1"
}
},
"invoice" : {
"stid1" : {
"9EtsXHveIyaEkkLLk5hpo6vCtVx1" : {
"ispaid" : false
},
"studentID" : "9EtsXHveIyaEkkLLk5hpo6vCtVx1"
}
}
}