If i write write: "auth != null" who can write ?
Only the person which has my google account and password or all persons who have a google account?
I want to be the only one who can write to the database page but I can't change the rule to false.
If I write: ".write": "auth != null" who can write to my database?
As Frank said, only people who have authenticated using Firebase can write with this rule. If you have no way for users to sign up for your app, then you'd be the only one who can write. If you have users create an account, they're "authenticated" as well and can write. If you want to limit writing just to your user account, get your user id and use this rule where MY_USER_ID is your uid, or look into custom claims.
".write": "'MY_USER_ID' === auth.uid"
This assumes you want to write from some interface other than directly in Firebase. If you want to prevent all writing and manually upload/edit copy directly into Firebase, you can set:
".write": false
...which would prevent all writes from users anywhere, but which would still allow you to edit your data in the console.
If you have this rule:
".write": "auth != null"
Any user who is authenticated can write to your database. That means anyone who signs in with a method that you've enabled in your Firebase Authentication console .
Related
{
"rules": {
"gallery": {
"$artwork": {
".read": "true",
".write": "auth.uid === \"UID\""
}
},
"gallerymap": {
".read": "true",
".write": "auth.uid === \"UID\""
}
}
}
I am creating a gallery that stores the artworks information in a real-time database, so I can add artwork through a page and store it. How do you send a write request along with the UID?
I can't find any documentation for sending a write request along with the UID.
To set the auth variable (including auth.uid) you have to sign the user in to Firebase Authentication. Once a user is signed in to Firebase Authentication, their token is automatically passed with any calls to the Realtime Database SDK, and the auth. variable in your rules is automatically populated from that.
If you're not using Firebase Authentication yet, the simplest way to add it is by implementing anonymous authentication which doesn't require the user to enter any credentials. I usually use anonymous authentication as a first step, print the UID that I get back in my code, and then copy/paste that into my security rules.
I want to allow specific persons to edit the data on the Firebase Database that users are not allowed to edit.
I am allowing by simply allowing them to write with their user ids:
".write": "auth != null && auth.uid === 'h7yic7LeS123asdfsdgwPrfKZ2'"
Is this a safe method? Do I have to use token based authentication to assign roles to the moderators?
If you use a standard way to authenticate your user (i.e. login) like, e.g. Firebase UI (https://github.com/firebase/firebaseui-web), this is indeed a safe method.
As a matter of fact, using such an authentication mechanism will populate auth.uid with the uid of the user and therefore only user with uid h7yic7LeS123asdfsdgwPrfKZ2 will be able to write to the corresponding database node.
Since you are mentioning "specific personS" (i.e. more than one user) you may use a different approach than hardcoding the users' uid in the security rule. You could, for example, use a rule like this one:
".write": "auth != null && root.child('admins/' + auth.uid).exists()"
In this case you would declare the uids of the authorised persons as children of the "admins" database node:
-admins
-h7yic7LeS123asdfsdgwPrfKZ2: true
I'm new to Firebase database so I have a questions concerning the database.
My database rules so far is public like this:
"rules": {
".read": "auth == null",
".write": "auth != null"
}
I want the access to my database info (read and write) to be only for my application. I want to make my firebase to only allow read and write instructions if the appID or BundleIdentifier or something that identifies that it is my app who's trying to operate.
Is it possible? I don't want to use Firebase user authentication.
With the configurations I have so far is it possible for anyone in the world to access my database?
It's not possible to use the app's ID with Realtime Database security rules. The list of properties you can use in rules is documented here.
Also, if you want to allow full read access to your database, consider also saying this:
"rules": {
".read": true
}
What you have now ".read": "auth == null", only allows read access if you are not authenticated. Authenticated users would not be able to read, which doesn't sound helpful.
So the last thing I want is anyone accessing the database that isn't supposed to. Users on my app create an account which has a key and children in my database (an easy to acces user profile) and it also makes an auth account. The rules of the database state that only authenticated users can access the database. Is it possible for someone who is authenticated to somehow access the rest of the database (through hacking maybe)? This is my first app using firebase and I want to make sure that user information will be protected.
It depends by your rules.
If the rule is:
// These rules require authentication
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
This kind of rule allows full read and write access to authenticated users of your app. In other words an authenticated user can access all the data in the database without any hacking.
If you set something similar to this rule:
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid"
}
}
}
}
it grants write access to the owner of this user account but only of this data.
It means that you have to set the rules to obtain the wanted result for each nodes in your data.
I'm using Firebase for my app and was wondering how to block certain users. I see on the Auth tab of the console, there are "delete" and "disable" options. What do those do? I haven't been able to find documentation on that. Will one of those allow me to block a user?
What I mean by blocking a user is for the ".read": "auth != null" rule to prevent him from accessing data on the database
The disable feature consist in preventing that user to authenticate. So if he tries to authenticate he will fail with error code INVALID_CREDENTIALS and he won't have access to the data that has the ".read": "auth != null" rule. It works like he is deleted but the admin still have the power to reactivate the user account.
If you want to build a list of "blocked users" that will be able to authenticate but will have restricted access, you can store the blocked ids in a node on your firebase database like /databaseRoot/blockedUsers and then work with the security and rules.
".read": "auth != null && !root.child('blockedUsers').hasChild(auth.uid)"
blockedUsers could look like the tree bellow but you could also add some other info under the userId such as the date this user was blocked.
/databaseRoot
/blockedUsers
userId1 : true
userId2 : true
Adding the user to this list will depend on your necessity. You can do it manually by accessing the firebase console and adding the user id to the node. Or, if you want to block an user based on an event on the application, you could simply call something like
ref.child('blockedUsers').child(userIdToBlock).set(true);