Writing operation fails - firebase database rules - firebase

I have the following object:
const offer = {
offerInfo: {
price: '',
status: 'open',
message: '',
ownerUID: '',
ownerName: '',
ownerPhoto: '',
ownerAvgRating: '',
ownerReviewNumber: '',
},
offerMetaData: {
userHasSeenOffer: false,
userHasBeenNotified: false,
}
}
I am trying to post it to the following node:
updates['jobs/${activeJob.key}/offers/${currentUser.uid}] = offer;
and then firebase.database().ref().update(updates)
As you can see I am using the users uid as the id of the offer itself.
Now when I try to post it using the following rules, I get a permission denied error and I have no clue why.
Rules:
"jobs": {
"$job_uid": {
".read": "auth !== null",
"job": {
".write": "!data.exists() && root.child('allUsers/serviceUsers/' + auth.uid + '/paymentDetails').exists() || data.exists() && root.child('jobs/' + $job_uid + '/job/owner').val() === auth.uid",
},
"offers": {
"$offer_uid": {
"offerInfo": {
".write": "$offer_uid === auth.uid",
},
"offerMetaData": {
".write": "root.child('jobs/' + $job_uid + '/job/owner').val() === auth.uid || $offer_uid === auth.uid",
},
},
},
...
Any ideas?

You are trying to write directly to $offer_uid but you don't have any write rules on that node so it will use the default false.
For you current write to succeed you can change your rules like this:
"$offer_uid": {
".write": "$offer_uid === auth.uid",
"offerMetaData": {
".write": "root.child('jobs/' + $job_uid + '/job/owner').val() === auth.uid",
},
},
I moved the write rule one node up, directly in $offer_uid, instead of having it in both the childs seperatly.
Another option would be to keep your rules and split your write so you are writing to the child nodes.

Related

Or operator not working in firebase rules

I have a realtime database. In rules, doing (a || b) works, but doing (b || a) does not work. I couldn't find the reason. Since my rules are long, I'm putting a small part of it here. actually it was working until today but today it stopped working and i didn't change anything.
Not working :
{
"rules": {
"allGames": {
"$gameID": {
".read": true
".write": "auth != null && ((!data.exists() &&
(newData.child('players').child('0').child('userID').val().contains(auth.uid) ||
newData.child('players').child('1').child('userID').val().contains(auth.uid) ||
newData.child('players').child('2').child('userID').val().contains(auth.uid) ||
newData.child('players').child('3').child('userID').val().contains(auth.uid)) ) ||
(!data.exists() &&
(newData.child('0').child('name').val().contains(auth.uid) ||
newData.child('1').child('name').val().contains(auth.uid) ||
newData.child('2').child('name').val().contains(auth.uid) ||
newData.child('3').child('name').val().contains(auth.uid)) ) )"
}
}
}
}
my json:
[
{
"durum": "davetYollayan",
"name": "PzbcSmKziaOcd4PdYNPnIWuG2iH2",
"score": 0
},
{
"durum": "davetYollayan",
"name": "efezefebcSmKziaOcd4PdYNPnIWuG2iH2",
"score": 0
}
]
Screenshot:
it works when i replace the write code with this. but both codes are the same, I don't understand why it gives an error?
".write": "auth != null && ((!data.exists() &&
(newData.child('0').child('name').val().contains(auth.uid) ||
newData.child('1').child('name').val().contains(auth.uid) ||
newData.child('2').child('name').val().contains(auth.uid) ||
newData.child('3').child('name').val().contains(auth.uid)) ) ||
(!data.exists() &&
(newData.child('players').child('0').child('userID').val().contains(auth.uid) ||
newData.child('players').child('1').child('userID').val().contains(auth.uid) ||
newData.child('players').child('2').child('userID').val().contains(auth.uid) ||
newData.child('players').child('3').child('userID').val().contains(auth.uid)) ))"

Firebase Realtime Database Private Shared Data With E-Mail?

I want to share secure data between users.
"shared_requests" : {
"shared_uid" : {
"deviceSeriNo" : "device1serino",
"user1" : {
"email" : "john#john.com",
"userName" : "John"
},
"user2" : {
"email" : "micheal#micheal.com",
"userName" : "Micheal"
}
}
}
Rules: (Edited, I forgot to write a small part. (auth.uid.email.replace('#','').replace('.','')))
"shared_requests": {
"$key": {
".read": "root.child('shared_requests').child($key).child('user1/email').val() == auth.uid.email.replace('#','_').replace('.','_') || root.child('shared_requests').child($key).child('user2/email').val() == auth.uid.email.replace('#','_').replace('.','_')",
".write": "root.child('shared_requests').child($key).child('user1/email').val() == auth.uid.email.replace('#','_').replace('.','_') || root.child('shared_requests').child($key).child('user2/email').val() == auth.uid.email.replace('#','_').replace('.','_')"
}
}
But not working. How can I solve this problem?
Edit:
It works when I try with the UID.
"shared_req4": {
"shared_uid": {
"$key": {
".read": "auth != null && auth.uid === $key",
".write": "auth != null && auth.uid === $key"
}
}
}
Data:
Simulator:
Simulation results:
But it doesn't work when I try it by email.
"shared_req3": {
"shared_uid": {
"$key": {
".read": "auth != null && auth.uid.email.replace('#','_').replace('.','_') === $key",
".write": "auth != null && auth.uid === $key"
}
}
}
Data:
Simulator:
Simulation results:
Problem is solved.
It doesn't work on the simulator so try on the code. And it needs to be 'auth.token.email' instead of 'auth.uid.email'.
#FrankvanPuffelen Thank you so much.

only user can modify has own data in firebase

l want make only user able to create new post, and only user able to modify only the post that were created by them. Like delete or edit !
database structure
{
"post" : {
"-LWzHsKzAyK9Wfa1kbD_" : {
"name" : "test",
"title" : "test",
"userId" : "8D3sENaBcLaXoGNnh1MPuoyj5LP2"
},
"-LWzHx6u-gQ7XoVR714a" : {
"name" : "check",
"title" : "check",
"userId" : "WUM2HBkGo8TFDeOjEqO1s3lCj1p1"
}
}
}
l used this rules but l got error when to save No such method/property 'userId'.
{
"rules": {
".read": false,
".write": false,
"report": {
".read": "auth != null",
".write": "auth != null && ( (data.exists() && data.userId === auth.uid) || !data.exists() || !newData.exists() )"
}
}
}
You can't just use property accessor notation to get a child value of the data. You must call the child() function to get the child, and the val() function to get its value.
So:
data.child('userId').val() === auth.uid

How to allow a node to be created, updated and deleted by the creator but not by other users in Firebase?

My app's content is generated by the user. I want each user to access and edit his own data (the nodes he creates). So the user creates a "clips" node and a "clipOwners" node if the nodes are empty and he should also be able also to update any of these nodes and child nodes if he is the owner. Another user shouldn't be able to create a new node if the node pushKey (i.e. "$11111111") is already taken.
Here is my database structure:
clips {
variable Key >>> "111111111111" : {
"MACaddress" : "111111111111",
"comments" : "",
"created" : "Mon Apr 16 2018 12:40:13 GMT+0100 (BST)",
"inRoom" : "-LADDm48Uqabm1bcQGOw",
"ins" : {
"1523878813443" : true
},
"name" : "1",
"outs" : {
"1523878813443" : true
},
"ownerID" : "QpMHsVHHRrMvk92rbSQvcYEv4en1"
},
"222222222222" : {
"MACaddress" : "222222222222",
"comments" : "",
"created" : "Mon Apr 16 2018 12:40:13 GMT+0100 (BST)",
"inRoom" : "-LADDm48Uqabm1bcQGOw",
"ins" : {
"1523878813443" : true
},
"name" : "1",
"outs" : {
"1523878813443" : true
},
"ownerID" : "QpMHsVHHRrMvk92rbSQvcYEv4en1"
}
},
"clipOwners" : {
"111111111111": "QpMHsVHHRrMvk92rbSQvcYEv4en1"
"222222222222": "QpMHsVHHRrMvk92rbSQvcYEv4en1",
}
I am trying this but the "ownerID" child node keeps on being updated by another user if another user tries to write to the same $MACaddress:
"clips": {
".read": "true",
".write": "!data.exists() || newData.exists()",
"$MACaddress":{
"ownerID": {
".validate": "!data.exists() || newData.val() === root.child('clipOwner').child($MACaddress).val()",
}
}
},
"clipOwners": {
".read": true,
".write": "newData.exists()",
"$MACaddress": {
},
Why is it behaving like that?
Any ideas on how I can lock this thing?
In your current write rules you only check if data (not) exists. In this answer i will only focus on the write rules to make sure you can't have duplicate keys (see clipOwners rules) and you can only write to your own data (see clips rules):
"clipOwners": {
".read": true,
"$MACaddress": {
//Only create or delete are possible and value is the user uid
".write": "(!data.exists() || !newData.exists()) && (newData.val() == auth.uid || data.val() == auth.uid)"
}
},
"clips": {
".read": "true",
"$MACaddress":{
//The $MACaddress has to exist in the clipOwners node and its value has to be the user uid
".write": "root.child('clipOwners/'+$MACaddress).exists() && root.child('clipOwners/'+$MACaddress).val() == auth.uid"
}
}
When writing you first have to write the $MACaddress in the clipOwners node because this will be used to check if the user can write to the clips node.
You can take a look at these docs for a simular case.

Firebase: permission_denied -- cannot access newData.child()

This is the structure of my data
{
"projects" : {
"proj1" : {
"-JccS4StrTnJdTficR-u" : {
"name" : "consultation",
"status" : false
},
"-Jd6JlJUfyyZ2U0NTQEs" : {
"name" : "Words",
"status" : false
}
},
"proj2" : {
"-JccS6nwYHRrxvjZtCkt" : {
"name" : "Rework",
"status" : false
},
"-Jd6Jqa7-EPJuWxbtJAV" : {
"name" : "Review",
"status" : false
}
},
"proj3" : {
"-JccSJ5lEBQEg3XCbG-u" : {
"name" : "translation",
"status" : false
}
}
}
}
Here are my rules
{
"rules": {
".read": true,
"projects": {
"proj1": {
".write": "auth != null"
},
"proj2": {
".write": true
},
"proj3": {
".write": true,
".validate": "newData.child('name').isString()
&& newData.child('name').val().length < 10"
}
}
}
}
When I created the database, there was no rule. Now, I've created the rules. I want the length of the name to be less than 10 characters.
When I run the code, I'm getting the following error: FIREBASE WARNING: set at /projects/proj3/-Jd4n6XditTHLWKVmhC6 failed: permission_denied
I can't exactly tell why it's not working. I've also tried just this portion newData.child('name').isString(), but I'm still getting the same error.
Here is the code that push data to FireBase
function saveToFB(taskName, proj) {
// this will save data to Firebase
var project=projTasks.child(proj);
project.push({
name: taskName,
status: false
});
};
Looking at the structure of your data, as well as your rules, it looks like there is a missing level of data between "proj1"/"proj2"/"proj3" and the object that has name and status attributes.
Specifically, the .validate rules you have configured is checking the length of the name attribute for "proj3", not the new element added to the list there.
To get around this, try increasing the depth of the security rules definitions, and make use of the $wildcard functionality, where any security rules key prefixed with $ is treated as a wildcard with a name that you can reuse.
{
"rules": {
".read": true,
"projects": {
"proj1": {
".write": "auth != null"
},
"proj2": {
".write": true
},
"proj3": {
".write": true,
"$someChildElementHere": {
".validate": "newData.child('name').isString()
&& newData.child('name').val().length < 10"
}
}
}
}
}

Resources