I wanted to make a rule that only I could write to my database when I was logged in.
My understanding is that ".write": "$uid === auth.uid" only limits writing to authorized users not just specifically to me.
I wasn't 100% sure how to accomplish this so what I ended up doing was setting up a GitHub login (for the 2FA).
I took the UID from that and added it to an admins section of my structure and had the rules check against that.
I'm not sure if that actually works they way I have it setup here so I thought I'd ask the community.
{
"rules": {
".write": "root.child('admins').child('uid').val() == auth.uid",
"admins": {
".read": "false"
},
"users": {
".indexOn": ["id"],
".read": "root.child('admins').child('uid').val() == auth.uid"
},
"posts": {
".indexOn": ["location"],
".read": "true"
}
}
}
Custom Claims.
The Firebase Admin SDK supports defining custom attributes on user
accounts. This provides the ability to implement various access
control strategies, including role-based access control, in Firebase
apps. These custom attributes can give users different levels of
access (roles), which are enforced in an application's security rules.
{
"rules": {
"adminContent": {
".read": "auth.token.admin === true",
".write": "auth.token.admin === true",
}
}
}
Related
Looking to make my server more secure at this moment my Firebase Security Rules are
{
"rules": {
".read": "auth.uid != null",
".write": "auth.uid != null"
}
}
The above rule would allow anyone that has a user credential to change data. This would make the data insecure therefore what I am looking to do is change the security rule so that only the owners of the data are allowed to change their information. please note that my data structure on the real database has two nodes
Please see the attached image below
We just want to secure posts the code I am trying to run and it's not working
{
"rules": {
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
The error I am getting is simulated read denied
I'm not sure whether the title of this is appropriate as I'm new to Firebase Authentication and rules, however, I have successfully setup authentication and am now trying to protect a particular route and can't seem to access the relevant data, here's my Firebase rules on my realtime database:
{
"rules": {
"accounts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
},
"demo": {
".read": "accounts.$uid === auth.uid",
".write": true
}
}
}
As you can see, I'm trying to access the accounts/$uid/ from within "demo", it doesn't seem to work, what am I missing/what do I need to change?
Many thanks
UPDATE
The code in question not working is:
".read": "accounts.$uid === auth.uid"
I can't seem to access this part. It doesn't seem to get the current user's authentication status.
UPDATE
See attached screenshot for my attempt on using a predefined variable. I'm simply trying to get the auth status and I'm getting an error saying it's undefined?
The UID of the current user who is trying to access the data is available in auth.uid. If you're trying to ensure that a read of quotes is only allowed if the user has a document in the accounts node, you're looking for exists().
"website-quotes": {
".read": "root.child('accounts').child(auth.uid).exists()"
}
I hae a project database structure :
users
isSuperMan: false
isAdmin: false
info:
givenName: xxxxxx
address: yyyyyy
....
memberships:
2018:
paid: 10
paidOn: 20198-01-01
paymentType: 1
2017:
paid: 10
paidOn: 20198-01-01
paymentType: 1
....
and my current Firebase rules are set to allow a logged user to create/update/delete his own data
{
"rules": {
".read": "auth.uid != null",
".write": false,
"users": {
"$uid": {
".write": "$uid == auth.uid"
}
}
}
}
As I am totally newbie with Firebase rules , I don't see how to set them to handle the following business cases , any help appreciated
I wonder if I should not go for Firestore to handle such cases ?
logged user with Superadmin or Admin role ( true) can read/write ALL DATA
standard logged user can read/write his own info
standard user can read but cannot update/delete memberships
memberships data are written only when logged user is paying it
To give someone with the admin role read access to the whole database, use these rules:
{
"rules": {
".read": "root.child('users').child(auth.uid).child('isAdmin').val() === true"
}
}
This read rule replaces what you currently have, since right now all signed in users can read the entire database.
To then allow each user to read/write their own info, modify the above to:
{
"rules": {
".read": "root.child('users').child(auth.uid).child('isAdmin').val() === true",
"users": {
"$uid": {
".read": "auth.uid === $uid",
".write": "auth.uid === $uid"
}
}
}
}
I highly recommend checking out the Firebase documentation on security rules, specifically the section on securing user data (which covers step two I showed above), as well as the great video explaining security rules.
I am new to firebase and I am building a small SPA.
I could set the security rules like the following. (Only authenticated user can read or write his own projects.)
{
"rules": {
"users":{
"$uid":{
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
This works fine but when I sign in to my app, inspect the source code and try adding hidden extra objects in project form, firebase still accept it.
In this screenshot, the objects such as blablab, blablabla are added from Chrome's inspect tool.
As the data structure has to be like
users-->userId-->projects-->unquieKey-->project_title
But after I added it, the db structure is messed up.
I want to know that how can I prevent someone sending extra data or spam objects?
When you use this:
{
"rules": {
"users":{
"$uid":{
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
It means only authenticated users can read and write to the database. So every user who was authenticated will be able to send data to the database. To prevent spam, you need to think of a way(maybe a function that prevents user to write specific words to the database)
You can also use validation, that can help a bit:
{
"rules": {
".validate": "newData.isString() && newData.val().length < 100"
}
}
more details here: https://firebase.google.com/docs/database/security/
You can use this:
{
"rules": {
".read": true,
".write": false
}
}
to prevent anyone from sending data
trying to get this to work :
{
"rules": {
".read": true,
".write": "auth.uid == simplelogin:2",
}
}
I want just a specific user to have a write control over everything (for now). How do I make this work?