I have rules set up like this:
{
"rules": {
".read": true,
".write": true,
"ares": {
"user":{
"$user_id": {
".write": "$user_id === auth.uid"
},
"admin":{
"owner":{
".indexOn": ".value",
}
}
}
}
}
}
I want to get owner data by owner_id, but I get this warning:
FIREBASE WARNING: Using an unspecified index. Your data will be downloaded and filtered on the client. Consider adding ".indexOn": "owner_id" at /ares/user/admin/owner/ares/user/admin/owner/bD1kYczs51bdFbJKPxOTKPpQR6i2 to your security rules for better performance.
Seems to me that are nothing wrong with the index itself, but the value you ar trying to query.
Pay attention that the entire path /ares/user/admin/owner appears to be duplicated. You are appending this to the firebase reference.
I think that the correct reference/query should be something like this /ares/user/admin/owner/bD1kYczs51bdFbJKPxOTKPpQR6i2.
Related
I am building a project where I want users to be authenticated to read or write any data in my firebase Realtime Database. I also want to enforce other rules in other nodes of my DB.
After reading the docs, I'm under the impression that the basic way to do this would be to use auth != null in every leaf of my rules tree and combine it with the specific rule I want to enforce. For instance,
{
"rules": {
"rooms": {
"1": {
".read": "auth!=null && !data.exists()"
},
"2": {
".read": "auth!=null"
}
}
}
}
I feel like this will make my rules hard to read and tiresome to write. I was looking for a way to overcome this problem and I thought I would be able to use overlapping statements to achieve this, as described here https://firebase.google.com/docs/database/security/core-syntax#overlapping_statements. For instance,
{
"rules": {
"$route": {
".read": "auth != null",
".write": "auth != null"
},
"rooms": {
"1": {
".read": "!data.exists()"
},
"2": {
".read": "true"
}
}
}
}
}
However, when using the testing tool without authentication to perform a read on /rooms/2, it appears that the query is only tested against the second set of rules, allowing the operation.
From my understanding, both rules sets should have been tested, and the first one should have rejected the operation.
I have three questions :
Is what I am trying to achieve a bad practice ? Should I be enforcing the rules at leaf level ?
What did I misunderstand about overlapping statements ? I'm not seeing the difference between my example and the docs
Is there a way to achieve this ?
Thanks for your help !
I had copied exactly as per the details provided in fire base document
enter link description here
for editing the rules as I received a mail from firebase that my clients will not be able to access data. But what ever I had done I am getting an error like "Error saving rules – Line 4: Expected ',' or '}'.
The code I had copied is shown below
{
"rules": {
"some_path/${uid}": {
".read": true,
// or ".read": "auth.uid != null"
".write": "request.auth.uid == uid"
}
}
}
I tried with some other codes in document also, but the result is same.. Will any one tell me what is wrong with this code
You have the syntax for wildcard rules wrong. The rule with a $ needs to be in a level of its own.
So:
{
"rules": {
"some_path": {
"$uid": {
".read": true,
".write": "request.auth.uid == $uid"
}
}
}
}
Note that I also added the $ in the write rule, as you're trying to use the variable named $uid. there.
{
"rules": {
"some_path/${uid}": {
".read": //Your Condition,
".write": //Your Condition
}
}
}
In a Realtime Firebase database there are a lot off Childs
And in those Childs the are some more.
What rule's do i add so Read = true
Butt only write to the child "Pupil" and everything in that child
"rules":
{
".read": true,
".write": false
}
"Pupil":
{
".read": true,
".write": true
}
}
I am missing a Expected ',' or '}'.
The security rules for the Firebase Realtime Database as in JSON format, and what you have is not valid JSON. In fact, it's not even close.
I highly recommend using a tool that can show you whether your code is valid JSON (a quick search can help you find one of these).
The closest valid JSON equivalent to what you have seems to be:
{
"rules": {
".read": true,
".write": false
},
"Pupil": {
".read": true,
".write": true
}
}
While this is now valid JSON, it is not a valid set of security rules, as you can only have one top-level event (names rules) in security rules, and the rest of your rules needs to be under that.
To make it into valid security rules, nest the Pupil node under the top-level rules:
{
"rules": {
".read": true,
".write": false,
"Pupil": {
".read": true,
".write": true
}
}
}
So you should be able to save the above in the Firebase console without an error.
You can simplify this a bit to:
{
"rules": {
".read": true,
"Pupil": {
".write": true
}
}
}
The top-level read permission is automatically inherited by all nodes under the root. And by default there is no permission, so the ".write": false on the root is implied here.
I want to prevent read access for only one node.
let's assume I have nodes like that
"0" : {
//somedata
},
"1": {
//somedata
},
"2": {
//somedata
},
"3": {
//my private data
}
Now I won't want "3" to be read from any connections. What rules should be written there to prevent its read and write access?
I tried using rules like:-
{
"rules": {
"$3": {
".read": false,
}
".read": true,
".write": "auth!=null && auth.uid == 'myuid'",
}
}
If I do this then in the child_added it gives me all nodes also changing "$3" to "3" doesn't matter right now
{
"rules": {
".read": true,
".write": "auth!=null && auth.uid == 'myuid'",
"$3": {
".read": false,
}
}
}
the second one gives all nodes because in the very first line of the rule I used the read key as true i.e working on the cascading rule as .read and .write rules work from top-down from firebase docs Firebase Rules Docs
If any suggestions for the same or different approach I need to do this, please suggest me that?
Thanks, folks!
You were close. As you read correctly, the rules cascade from higher tiers down to the more specific ones. So if you approve the write at a higher tier (as you did for the root of your database) that "allowed" write permission applies to your entire database.
The $ is used to identify a variable name in the path. So when you use "$3" you are actually defining a variable named "$3", not referencing the specific key "3". What you are looking to do is specify a variable that is used for all values that aren't "3", which by convention, is called "$other".
{
"rules": {
"3": {
".read": false,
".write": false
},
"$other": { // any key not named above at this level
".read": true,
".write": "auth!=null && auth.uid == 'myuid'"
}
}
}
This should work:
{
"rules": {
"3": {
".read": false,
".write": false,
}
".read": true,
".write": "auth!=null && auth.uid == 'myuid'",
}
}
1st you are checking, if the data is "3", block it and return. If not check below rules (in this case, allow authenticated users).
trying to get this to work :
{
"rules": {
".read": true,
".write": "auth.uid == simplelogin:2",
}
}
I want just a specific user to have a write control over everything (for now). How do I make this work?