Firebase security rules, data variable - firebase

I have a database schema like this:
Posts
unverified
post_1
post_2
...
And here is a shortened list of data in /posts/unverified path
{
"-L7xmY2HMeEImDZnZqTf" : {
"categorie" : 0,
"commonFields" : {...},
"fbKey" : "-L7YM7vEf8RpcxGUTpDE",
"images" : [...],
"specialFields" : {
"area" : "150",
"productPrice" : {
"currency" : "dollar",
"value" : "65000"
},
"requestType" : "sell",
"requesterType" : "personal",
"roomCount" : 3,
"suburbia" : "false"
},
"subCat" : 0,
"timestamp" : 1521011840178,
"uid" : "Fo5f6VonWgQVpsf6u80TPgoi2it2"
},
"-L7YNUZPL1-Dl7EhScEE" : {...},
"-L7YNUZPL1-fdfasfa" : {...},
"-L7YNUZPL1-ljljklfd" : {...},
"-L7YNUZPL1-lkjlkjfas" : {...},
}
And a firebase security rules defined as below
{
"rules": {
"posts": {
"unverified": {
".indexOn": "timestamp",
".read": "data.child('uid').val() === auth.uid"
As the rules show, I want to read unverified posts if the users id equal to the uid field in the post data
But every time i use the rules simulator ( or test the with the codes ) with the below configuration, its' giving Simulated read denied error
Thanks for your helps

Your .read rule is defined on /posts/unverified and checks a child called uid. So the total path is /posts/unverified/uid.
You're trying to read /posts/unverified/-L7xmY2HMeEImDZnZqTf. And the UID value is defined on /posts/unverified/-L7xmY2HMeEImDZnZqTf/uid.
The two paths don't match. You need to add a wildcard in your rules:
{
"rules": {
"posts": {
"unverified": {
".indexOn": "timestamp",
"$postid": {
".read": "data.child('uid').val() === auth.uid"

Related

Securing Firebase RTDB with multiple databases for chat app

I am on the blaze plan and building a chat functionality in my app using Firebase realtime database.
I have 3 databases for now :
Main instance that contains sharding information and users chats' info.
The 2 other instances will contain the chats and messages.
The database structure for the main instance looks like this :
{
"shards" : {
"shard1" : {
"full" : false,
"name" : "shard1",
"num" : 1,
"url" : "shard1Url"
},
"shard2" : {
"full" : false,
"name" : "shard2",
"num" : 0,
"url" : "shard2Url"
}
}
}
And here is the data structure of one of the shard :
{
"users" : {
"user_id_1" : {
"chat_id_1" : true
},
"user_id_2" : {
"chat_id_1" : true
}
},
"chats" : {
"chat_id_1" : {
"created" : true,
"createdAt" : 1645888918717,
"members" : {
"user_id_1" : true,
"user_id_2" : true
},
"name" : "",
"uid" : "chat_id_1",
"updatedAt" : 1645895862214
}
},
"messages" : {
"chat_id_1" : {
"mess_id_1" : {
"content" : "Hello",
"chatID" : "chat_id_1",
"createdAt" : 1645895862214,
"senderID" : "user_id_1",
"uid" : "mess_id_1"
},
"mess_id_2" : {
"content" : "Bye",
"chatID" : "chat_id_1",
"createdAt" : 1645889441313,
"senderID" : "user_id_2",
"uid" : "mess_id_2"
}
}
}
}
I want the following rules to apply :
Reads :
A user can listen for changes under /users/$user_id/ where $user_id is auth.uid
A user can get all the chats from the above IDs when he is in the member map (under /chats/$chat_id)
A user can read all the messages from a chat when he is a member (under /messages/$chat_id)
Writes :
A user can create a chat if there is no data under the chat_id node
A user can update a chat if he is a member under the chat_id
A user can create a message if a chat_id exists and if he is a member under the chat_id and if the senderID matches the auth.uid
A user can delete a message if he is the sender of the message (not sure i can do this with security rules but only client side)
A user can add only an item like {"$chat_id": true} under any other user under /users/$user_id/
So far, here are my rules that are not working :
-> Main shard :
{
"rules": {
"shards": {
".read": "auth.uid != null",
".indexOn": ["full"],
"$shardName": {
"num": {
".write": "auth.uid != null"
},
"$other": {
".write": false
}
}
},
}
}
-> For other shards :
{
"rules": {
"users": {
"$userID": {
".write": "auth.uid != null && !data.exists()",
".read": "auth.uid == $userID",
}
},
"chats": {
"$chat_id": {
".read": "data.child('members/'+auth.uid).exists()",
".write": "(!data.exists() && newData.hasChild('members')) || data.child('members/'+auth.uid).exists()",
}
},
"messages": {
"$chat_id": {
".read": "root.child('chats').child($chat_id).child('members').child(auth.uid).exists()",
".indexOn": ["createdAt"],
"$mess_id": {
".write": "(!data.exists() && newData.child('senderID').val() == auth.uid) || (data.exists() && data.child('senderID').val() == auth.uid)"
}
}
}
}
}
EDIT :
I have made many edit regarding the database structure.
I especially need help with reads rather than writes, as writes seem to be working fine now but i would like confirmation and / or changes if you see mistakes.

Firebase realtime rules how to check if node with AutoID contains correct data

I am trying to write a firebase rule that checks to see if you have access to a child of one node by checking the data of another node. The issue I am having is accessing the other node's data because it is stored under an AutoId. How would I access the data under the AutoId?
Here is my database structure:
{
"products" : {
"Product001" : {
"ownerId" : "User002",
"productName": "Name"
},
"product002" : {
"ownerId" : "User001",
"productName": "Name"
}
},
"shares" : {
"share001" : {
"accepted" : true,
"ownerId" : "User002",
"productId" : "Product001",
"userEmail" : "example#email.com"
},
"share002" : {
"accepted" : true,
"ownerId" : "User001",
"productId" : "Product002",
"userEmail" : "email#exaple.com"
}
},
"users" : {
"User001" : {
"email" : "example#email.com",
"firstName" : "John",
"lastName" : "Smith"
},
"User002" : {
"email" : "email#example.com",
"firstName" : "John",
"lastName" : "Smith"
}
}
}
Here is the section of the rules that is causing me a problem:
"products":{
"$productId":{
".read":"root.child('shares').child($shareId).child('productId').val() === $productId && root.child('shares').child($shareId).child('ownerId').val() === auth.uid",
".write":"root.child('shares').child($shareId).child('productId').val() === $productId && root.child('shares').child($shareId).child('ownerId').val() === auth.uid"
}
}
Essentially, a user is only allowed to access a premises if they are in a share that contains their information.
Thank you for any advice.
There is no way in security rules to query or search another node, as the performance of that would be way too unreliable. So in your current data model it is not possible to allow the user access to a product if they have any shares for that product.
You'll need to have a list somewhere in a knowable path of the products the user can read. For example, say that you keep a list of the products the user is interested in:
"interests" : {
"User001" : {
"Product001": true,
"Product002": true
},
Now you can allow the user access to all products they follow with:
"products":{
"$productId":{
".read":"root.child('interests').child(auth.uid).child($productId).exists()",
".write": ...
}
}

How to allow a node to be created, updated and deleted by the creator but not by other users in Firebase?

My app's content is generated by the user. I want each user to access and edit his own data (the nodes he creates). So the user creates a "clips" node and a "clipOwners" node if the nodes are empty and he should also be able also to update any of these nodes and child nodes if he is the owner. Another user shouldn't be able to create a new node if the node pushKey (i.e. "$11111111") is already taken.
Here is my database structure:
clips {
variable Key >>> "111111111111" : {
"MACaddress" : "111111111111",
"comments" : "",
"created" : "Mon Apr 16 2018 12:40:13 GMT+0100 (BST)",
"inRoom" : "-LADDm48Uqabm1bcQGOw",
"ins" : {
"1523878813443" : true
},
"name" : "1",
"outs" : {
"1523878813443" : true
},
"ownerID" : "QpMHsVHHRrMvk92rbSQvcYEv4en1"
},
"222222222222" : {
"MACaddress" : "222222222222",
"comments" : "",
"created" : "Mon Apr 16 2018 12:40:13 GMT+0100 (BST)",
"inRoom" : "-LADDm48Uqabm1bcQGOw",
"ins" : {
"1523878813443" : true
},
"name" : "1",
"outs" : {
"1523878813443" : true
},
"ownerID" : "QpMHsVHHRrMvk92rbSQvcYEv4en1"
}
},
"clipOwners" : {
"111111111111": "QpMHsVHHRrMvk92rbSQvcYEv4en1"
"222222222222": "QpMHsVHHRrMvk92rbSQvcYEv4en1",
}
I am trying this but the "ownerID" child node keeps on being updated by another user if another user tries to write to the same $MACaddress:
"clips": {
".read": "true",
".write": "!data.exists() || newData.exists()",
"$MACaddress":{
"ownerID": {
".validate": "!data.exists() || newData.val() === root.child('clipOwner').child($MACaddress).val()",
}
}
},
"clipOwners": {
".read": true,
".write": "newData.exists()",
"$MACaddress": {
},
Why is it behaving like that?
Any ideas on how I can lock this thing?
In your current write rules you only check if data (not) exists. In this answer i will only focus on the write rules to make sure you can't have duplicate keys (see clipOwners rules) and you can only write to your own data (see clips rules):
"clipOwners": {
".read": true,
"$MACaddress": {
//Only create or delete are possible and value is the user uid
".write": "(!data.exists() || !newData.exists()) && (newData.val() == auth.uid || data.val() == auth.uid)"
}
},
"clips": {
".read": "true",
"$MACaddress":{
//The $MACaddress has to exist in the clipOwners node and its value has to be the user uid
".write": "root.child('clipOwners/'+$MACaddress).exists() && root.child('clipOwners/'+$MACaddress).val() == auth.uid"
}
}
When writing you first have to write the $MACaddress in the clipOwners node because this will be used to check if the user can write to the clips node.
You can take a look at these docs for a simular case.

What is rules in firebase? & What $ mean in the value incode?

What does $uid mean in the code ?
is $uid a column name or key name?
{
"rules": {
"users": {
"$uid": {
".write": "$uid === auth.uid"
}
}
}
}
as in document
A wildcard path used to represent ids and dynamic child keys.
more detail , let say you have this data
{
users : {
"SOME_KEY_1" : {"name" : 'test 1' , "private" : {...}} ,
"SOME_KEY_2" : {"name" : 'test 2' , "private" : {...}} ,
"SOME_KEY_3" : {"name" : 'test 3' , "private" : {...}} ,
}
}
and these rule
{
"rules" : {
"users" : {
"$uid" : {
"private" : "auth != null && auth.uid === $uid"
}
}
}
}
you cannot know the keys of users node but you need to prevent other users to private node except their own so you put $uid to represent dynamic child keys
in your case you just allowing user to write to their own data

Firebase: permission_denied -- cannot access newData.child()

This is the structure of my data
{
"projects" : {
"proj1" : {
"-JccS4StrTnJdTficR-u" : {
"name" : "consultation",
"status" : false
},
"-Jd6JlJUfyyZ2U0NTQEs" : {
"name" : "Words",
"status" : false
}
},
"proj2" : {
"-JccS6nwYHRrxvjZtCkt" : {
"name" : "Rework",
"status" : false
},
"-Jd6Jqa7-EPJuWxbtJAV" : {
"name" : "Review",
"status" : false
}
},
"proj3" : {
"-JccSJ5lEBQEg3XCbG-u" : {
"name" : "translation",
"status" : false
}
}
}
}
Here are my rules
{
"rules": {
".read": true,
"projects": {
"proj1": {
".write": "auth != null"
},
"proj2": {
".write": true
},
"proj3": {
".write": true,
".validate": "newData.child('name').isString()
&& newData.child('name').val().length < 10"
}
}
}
}
When I created the database, there was no rule. Now, I've created the rules. I want the length of the name to be less than 10 characters.
When I run the code, I'm getting the following error: FIREBASE WARNING: set at /projects/proj3/-Jd4n6XditTHLWKVmhC6 failed: permission_denied
I can't exactly tell why it's not working. I've also tried just this portion newData.child('name').isString(), but I'm still getting the same error.
Here is the code that push data to FireBase
function saveToFB(taskName, proj) {
// this will save data to Firebase
var project=projTasks.child(proj);
project.push({
name: taskName,
status: false
});
};
Looking at the structure of your data, as well as your rules, it looks like there is a missing level of data between "proj1"/"proj2"/"proj3" and the object that has name and status attributes.
Specifically, the .validate rules you have configured is checking the length of the name attribute for "proj3", not the new element added to the list there.
To get around this, try increasing the depth of the security rules definitions, and make use of the $wildcard functionality, where any security rules key prefixed with $ is treated as a wildcard with a name that you can reuse.
{
"rules": {
".read": true,
"projects": {
"proj1": {
".write": "auth != null"
},
"proj2": {
".write": true
},
"proj3": {
".write": true,
"$someChildElementHere": {
".validate": "newData.child('name').isString()
&& newData.child('name').val().length < 10"
}
}
}
}
}

Resources