I have two mega parent nodes, but I am currently unable to write to the second one.
-users
uid
some other info
uid
-secondParent
child
uid
child
uid
I would like the user to be able to write to his own child of secondParent. Read and write permissions are working correctly for the users parent node, but I can't get it working for the secondParent.
The rule I have currently is:
{
"rules": {
"users": {
"$uid": {
".read": "auth != null",
".write": "$uid === auth.uid",
}
},
"parentdNode": {
"$childID":{
".read" : "auth != null",
"$uid":{
".write": "$uid === auth.uid",
}
}
}
}
}
Simulation failure below:
You have to write rules for each parents to enable permission
{
"rules": {
"users": {
"$uid": {
".read": "auth != null",
".write": "$uid === auth.uid",
}
},
"parentdNode": {
"$childID":{
"$uid":{
".read" : "auth != null",
".write": "$uid === auth.uid",
}
}
}
}
}
According to the screenshot, you are trying to write {"uid":"X","property":"Y"} to /parentNode/someNode. The rules give permission to write {"property":"Y"} to /parentNode/someNode/65ef..aa62.
JSON trees come with key/value pairs. There is no key uid in the scheme you presented, there is a $uid which is replaced by the a value from the path you are accessing.
It may still be a bit confusing, but I hope this points to clarifying ideas.
Related
I have a token stored in my /users/UID object, and I want to check if the token provided in the request matches it. How can I do this?
At the moment, I have this:
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid",
"files": {
".write": "newData.child(\"token\").val() === \"ZnYKcbTIaN466iQ\"", //
".read": "$uid === auth.uid"
},
}
},
}
}
The code above returns true, but the token changes periodically. Can I, somehow, access this information in my database?
I got it! To check was quite simple, you just need to use the data object
".write": "newData.child(\"token\").val() === data.child(\"token\").val()"
I want user to only access their own content, except for one child node: common
In common child node I want all signed in users to have access.
I have made the following rules:
{
"rules": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
},
"common" : {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid"
}
}
}
Firebase gives me the error:
Error saving rules - Line 8: Unknown variable '$uid'.
The error appears in this line: ".read": "auth != null && auth.uid == $uid",
Based on your question, this is your desired database structure:
{
"userIdA": { // anything here can be written by only userIdA
"name": "Tom", // this is just example data
"location": "London",
/* ... */
},
"userIdB": { // anything here can be written by only userIdB
"name": "Sarah",
"location": "New York",
/* ... */
},
/* ... other user data ... */
"common": { // anything here can be written by signed in users
"data1": "some value",
"data2": "some other value",
}
}
The rules for this structure would be:
{
"rules": {
"common" : {
".read": "auth != null", // logged in users can read
".write": "auth != null" // logged in users can write
},
"$uid": { // $uid will be the value of any key, that isn't listed above it (in this case, anything other than "common")
".read": "$uid === auth.uid", // only the matching user can read
".write": "$uid === auth.uid" // only the matching user can write
}
}
}
Note: This data structure isn't very secure. Allow read/write access to only what you need in your database. With this structure, any user could come along and open up their console and delete everything under "/common". You may consider adding ".validate" rules to make sure certain keys (such as "/common/data1") are only strings.
The $uid must be inside users Document like the example below :
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
I have my rules set. Normally, all data can only be read by the person who is auth to do so. However, I want to make exceptions. These are my rules:
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid",
"ForEveryone": {
".read": true,
".write": true
}
"NoWrite" : {
".read": true,
".write": false
}
}
}
So I let's say I have 3 string. String 1 is called private and can the auth person can read and write. String 2 is ForEveryone, so everyone can change and write data. String 3 is NoWrite, for everyone but you can not write to it.
I get an error, saying:Expecting a ; or " at the line NoWrite. So what am I doing wrong? Is it a wrong placed }? Thank you.
The approach you're taking to your rule structure won't work. Firebase security rules cascade, meaning that a permission given to any node will apply to any of its children and on down the tree. You cannot grant read or write access on a node and then revoke it further down. (But you can grant permissions not granted above.) See the docs on rule cascading.
In your case, you want to have some user data that be can written to by anyone and some that cannot. It's not clear from your example whether you want NoWrite to be written only by the authenticated user, or by nobody. Depending on how you will be reading this data, you will need to either separate these data into different collections, or make $uid inaccessible and define your rules only for ForEveryone and NoWrite.
The first approach might look like this:
"rules": {
"users-public": {
"$uid": {
".read": "true",
".write": "true",
},
"users-nowrite": {
"$uid": {
".read": "true",
".write": "$uid === auth.uid"
}
}
Or the second, like this:
"rules": {
"users": {
"$uid": {
"ForEveryone": {
".read": "true",
".write": "true"
},
"NoWrite" : {
".read": "true",
".write": "$uid === auth.uid"
}
}
}
As to your syntax error, you need a comma , after the closing brace before "NoWrite".
Here are your rules, properly spaced so you can see the relationship between the parent nodes and child nodes. It seems this is not what you want. So this isn't really an answer but will lead to a better question that we can answer. Will update once we know what the OP is after.
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid",
"ForEveryone": {
".read": true,
".write": true
},
"NoWrite" : {
".read": true,
".write": false
}
} //end uid
} //end users
} //end rules
} //outside closure
The following are my Firebase security rules:
security-rules.json
{
"rules": {
"users": {
"$uid": {
".write": "auth.uid === $uid",
".read": "auth.uid === $uid"
}
}
}
}
It works fine when my path ends with the users directory. As in:
https://my-firebase.firebaseio.com/users/my-user-id.json
But when I try to post directly to a subdirectory, as follows:
https://my-firebase.firebaseio.com/users/my-user-id/settings.json
it doesn't work.
Question
What do I need to do to the security-rules.json file (or anything else) to be able to write directly to a user's subdirectory?
Edit:
Someone suggested, "just extend your rule to include settings." So I tried this:
security-rules.json
{
"rules": {
"users": {
"$uid": {
".write": "auth.uid === $uid",
".read": "auth.uid === $uid"
},
"settings": {
".write": "auth.uid === $uid",
".read": "auth.uid === $uid"
}
}
}
}
Which throws the following error:
9:30: Unknown variable '$uid'.
10:31: Unknown variable '$uid'.
This works in the simulator:
{
"rules": {
"users": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid",
"settings": {
}
}
}
}
}
After further testing, I found the security rules contained in the OP also work in the simulator:
security-rules.json
{
"rules": {
"users": {
"$uid": {
".write": "auth.uid === $uid",
".read": "auth.uid === $uid"
}
}
}
}
There is no need to add additional rules for writing deeper into the node tree. The highest level permissions are sufficient.
Aside: My problem appears to be something other than the security rules I'm using. I must do more research, experimentation and testing.
I've read up and tried denormalization and while it makes perfect sense for cases like comments/messages that are accessible publicly while a user can only write to his own path/node, I'm having a hard time restricting ".read" rule to the user/owner AND to another user/admin. My use case doesn't publicly post all messages. To expound, for example, messages by user1 are only readable by user1 and admin, while still retaining write-only to user1.
How is this achieved? In security rules, I tried:
"messages": {
".read": "auth !== null",
".write": "auth !== null",
"$message": {
".read": "data.child('userID').val() === auth.uid"
}
}
OR
"messages": {
".write": "auth !== null",
"$message": {
".read": "data.child('userID').val() === auth.uid"
}
}
OR
"messages": {
"$user_id": {
".read": "auth.uid === $user_id"
".write": "auth.uid === $user_id"
}
}
While the last one does restrict reading and writing to the authenticated user, say user1, I had no luck getting the admin user to get all users' messages. The first, I can't circumvent the cascading/top-down rule.
I'm a firebase newbie so if this is really simple to do, I appreciate any helping hand.
Thanks!
This depends on how you define an administrator.
Let's first say that your admin is a known user with uid SOF.
"messages": {
"$user_id": {
".read": "auth.uid === $user_id || auth.uid == 'SOF'"
".write": "auth.uid === $user_id"
}
}
If you want the administrator to be configurable, you'll probably store their ID somewhere else, say in a node called administrators:
administrators
SOF: true
Frank: true
messages
...
In that case your can check if the current uid is either in the current node or it exists in the list of administrators:
"messages": {
"$user_id": {
".read": "auth.uid === $user_id || root.child('administrators/'+auth.uid).exists()"
".write": "auth.uid === $user_id"
}
}
Update
Since you want administrators to be able to read all messages, you'll end up with:
"messages": {
".read": "root.child('administrators/'+auth.uid).exists()",
"$user_id": {
".read": "auth.uid === $user_id",
".write": "auth.uid === $user_id"
}
}