I've the follwing database:
actions : [ {
"added" : 1535293085383,
"countdown" : 9999999999,
"item" : 1,
"type" : "a"
}, {
"added" : 1535293085383,
"countdown" : 999999999,
"extra" : "bb",
"item" : "2",
"type" : "b"
}, {
"added" : 1635293085383,
"countdown" : 1,
"item" : 3,
"type" : "c"
}]
I want to any logged user be able to read all data, but ONLY WRITE THE COUNTDOWN NODE.
My idea is everytime users read the data decrement that value, but they are not allowed to update any other node
there are the rules i wrote
{
"rules":{
".read":false,
".write":false,
"actions":{
".indexOn":[
"added"
],
".read": "auth != null",
"countdown":{
".write" : "auth != null"
}
}
}
it is denying read from unauthenticated users
it is allowing to read from authenticated users
it is dennying to write from authenticated users EVEN in the countdown node
how can i fix it
You're missing a level in your security rules. Right now you allow writing to /actions/countdown. But you want to allow writing to /actions/*/countdown. To capture that requirement, use a $ variable in your rules:
{
"rules":{
".read":false,
".write":false,
"actions":{
".indexOn": [ "added" ],
".read": "auth != null",
"$actionid": {
"countdown":{
".write" : "auth != null"
}
}
}
}
Now because of the $actionid the countdown/.write rule under there applies to each child node of /actions.
Related
I'm trying to prevent my home view from loading posts that are flagged by the user.
I have a data structure as follows:
"reportedPosts" : {
"HtnULzU0lnZKYva2M2Wepl6N8wE3" : {
"reported" : true,
},
"boX6rtJ98haWVxNoXfSq21maCVU2" : {
"reported" : true,
},
},
"posts" : {
"HtnULzU0lnZKYva2M2Wepl6N8wE3" : {
"details" : "abc",
},
"boX6rtJ98haWVxNoXfSq21maCVU2" : {
"details" : "abc",
},
"jSMSkY9rHtdNkXoLrsFmCAXdY9n2" : {
"details" : "abc",
},
"jnFhJbgCjZeJFx0hspObqoskQej2" : {
"details" : "abc",
},
"r6KPesUr1qORfIJke07SloZHeNW2" : {
"details" : "abc",
}
}
My Security Rules:
"posts": {
".indexOn": "datestamp",
"$post_id" : {
// only load posts not reported
".read": "auth != null && !root.child('reportedPosts').hasChild($post_id)",
".write": "auth != null"
}
},
"reportedPosts" : {
".read": "auth != null",
".write": "auth != null"
}
However I'm getting
Listener at /dev/posts failed: permission_denied
Can someone help me shed some light?
This is a common stumbling block when designing Firebase databases. As the docs say, rules are not filters so if you make some children entities readable and others not readable, you'll no longer be able to fetch /posts as you'd expect.
A simple solution: When a post is reported, move it from /posts to /reportedPosts so that it not longer exists under /posts. Then after you've reviewed the post you can move it back under /posts if the post doesn't violate any rules. That simplifies your rules and allows users to fetch a list of posts without seeing reported posts.
I'm really scratching my head here, and I've been reading as much as I can on many other cases. I'm new to Firebase, but got some understanding of it. I was wanting to restrict certain records of the database to certain users. So here's my JSON:
"accounts" : {
"13asdf313" : {
"dog" : "bacon",
"email" : "luis#fakeemail.com",
"first" : "luis",
"last" : "xxxx"
},
"HlELrrGDbiMKgxxxx" : {
"name" : "Luis"
},
"anthony" : {
"email" : "anthony#fakeemail.com",
"last" : "xxxx",
"name" : "anthony"
},
"jpSq6UzX0mcAvExxxx" : {
"name" : "anthony"
}
}
Here are the rules set up based on what I've been reading:
{
"rules": {
"accounts":{
"$uid":{
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
},
}
}
In the simulator, I used the bottom condition (I even put /accounts in the location field). I used the UID: HlELrrGDbiMKgxxxx, copied straight from Firebase account list.
This is always coming up as failed
What am I doing wrong?
You have to insert accounts/HlELrrGDbiMKgxxxx into the Location field.
Otherwise you are trying to access the whole database (standard location is root, which covers the whole database). Your rule is just set for the child accounts/$uid and to access it the user id from authentication and the child location in the database must match.
I have data in firebase in following format -
"requests" : {
"-KpPjt5jQZHBalQRxKSK" : {
"email" : "pariksheet#agsft.com",
"itemId" : "-KmazkKp5wavdHOczlDS",
"quantity" : 1,
"status" : "new"
},
"-KpZsw3KHE9oD1CIFQ4R" : {
"email" : "pbarapatre#gmail.com",
"itemId" : "-Kmb-ZXfao7VdfenhfYj",
"quantity" : 1,
"status" : "new"
}
}
Every request contains
"email" <- user's email id who has initiated the request.
"itemId" <- id of requested item
"quantity" <- item quantity
"status" <- "new" | "approved" | decline.
I am struggling to write Firebase rule which would:
allow authenticated user to access/read only requests which are raised by him/her.
allow admin user to read/update all requests.
My current rule is as follows :
{
"rules": {
".read": false,
".write": false,
"items" : {
".read": "auth != null",
".write": "root.child('roles').child(auth.uid).val() === 'admin'"
},
"requests": {
".write": "root.child('roles').child(auth.uid).val() === 'admin'", /*Only Admins can update request*/
"$rId": {
".read": "data.child('email').val() == auth.email || root.child('roles').child(auth.uid).val() === 'admin'"/*Request owner and admin can only read the particular request*/
}
}
}
}
I have maintained separate node roles which has
{
"uid" : "role"
}
I am using AngularFire2 to query Firebase in my app.
Sample code to retrieve requests with given status as below
const queryList$ = this.db.list('/requests', {
query: {
orderByChild: 'status',
equalTo: status
}
})
Thanks
Pari
I suggest you make the following changes:
In the root of the database create a new object admins
"admins": {
"<ADMIN_1_UID>": "true",
"<ADMIN_2_UID>": "true"
}
Then make changes to your security rules like this:
"rules": {
"admins": {
".read": false,
".write": false /*This ensures that only from firebase console you can add data to this object*/
},
"requests": {
".read": "root.child('admins').child(auth.uid).val()",
".write": "root.child('admins').child(auth.uid).val()", /*Only Admins can read/update all requests*/
"$rId": {
".read": "data.child('email').val() == auth.email"/*Request owner can read only the particular request*/
}
}
}
My data in firebase looks like this, in my web app everyone who accesses it gets authenticated anonymously via firebase, and their UID is stored with every post the user creates:
"-KF5N2V_dKD1dMHebUqc" : {
"note" : "Hello everybody",
"pos" : {
"lat" : 40.3628851,
"lng" : -74.0493175
},
"time" : 1460395853884,
"uid" : "f8cf7863-5607-4e2b-97d7-6a121261466c"
},
"-KHwyP-tnWNOA3nxzEm4" : {
"note" : "hi",
"pos" : {
"lat" : 37.0947156,
"lng" : -121.0179501
},
"time" : 1463459362615,
"uid" : "f8cf7863-5607-4e2b-97d7-6a121261466c"
}
I want my firebase rules setup so that only anonymous users can delete their through own posts.
So far i was only able to come up with this after reading the firebase documentation:
{
"rules": {
".read": "auth != null",
".write": "auth != null",
"$msg": {
".validate": "newData.hasChildren(['note','time','uid','pos'])
&& newData.child('note').isString() && newData.child('time').isNumber()
&& newData.child('uid').isString() && newData.child('note').isString()
&& newData.child('pos/lat').isNumber() && newData.child('pos/lng').isNumber()"
}
}
}
You'll need to move the .write permission down and tie it to the data:
{
"rules": {
".read": "auth != null",
"$msg": {
".write": "!data.exists() || (!newData.exists() && data.child('uid').val() === auth.uid)"
".validate": "..."
}
}
}
It's a bit of mix-and-match from these two sections of the Firebase documentation:
https://www.firebase.com/docs/security/guide/securing-data.html#section-data-variables
https://www.firebase.com/docs/security/guide/user-security.html
I have a data structure that adds user's data to their unique id such as follows.
"users" :
{
"user_id":
{
"name":"John Doe",
"email":"email#example.com",
"account":"limited",
"avatar" : "this will be a base64 data string"
}
}
I want to deny users from listing other users and I also want logged in users to access their data based on their "user_id" which is gotten from auth.uid
I had tried some rules:
{
"rules" :
{
"users" :
{
".read" : "false",
".write" : "auth != null && !data.exists() && newData.exists() ",
".validate" : "newData.child('user_id').hasChildren(['name', 'email', 'account','avatar'])",
"user_id" :
{
".read" : "auth.uid === user_id",
".write" : "false",
"avatar" :
{
".write" : "!data.exists() && newData.exists() && auth.uid === user_id",
".read" : "auth.uid === user_id"
}
}
}
}
}
Now keeping in mind that "user_id" can be anything and it changes per user, how can I implement that? Do you have other suggestions on a way I can work this out?
You need to take a close look at the Firebase documentation found here: https://www.firebase.com/docs/security/guide/user-security.html
You need to make use of the wildcard path to represent each user like this:
{
"rules": {
"users": {
"$user_id": { //this is the WILDCARD path
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid"
}
}
}
}
Wildcard paths explanation: https://www.firebase.com/docs/security/api/rule/path.html
Finally, I wouldn't recommend storing the email in this way because it will be available anyway via simpleLogin.