firebase rules write permission for only one user [duplicate] - firebase

This question already has answers here:
How to only allow one admin user to write Firebase Database?
(2 answers)
Closed 5 years ago.
I'm having trouble to write Firebase database rules. I would like to give write permission to only one user i.e admin user. All others will have read permission.
Please help me to write a Firebase database rule to restrict other users to write.

"rules":{
"users" : {
"$uid" : {
".read" : "auth!=null",
".write" : "$uid === adminUID"
}
}
}
This will help you

{
"rules": {
"users": {
"$uid": {
".write": "$uid === auth.uid"
}
}
}
}
Just replace auth.uid with the uid of the admin you want to be able write to the database.
You can read the documentation here:
https://firebase.google.com/docs/database/security/

I assume your access rights apply to the entire JSON data and admin is the one who has access to firebase console. So, below rule will work,
{
"rules": {
".read": true, // (or) ".read": "auth != null"
".write": "auth != null && auth.token.isAdmin == true"
}
}

Related

How to access parent auth status in array

I'm not sure whether the title of this is appropriate as I'm new to Firebase Authentication and rules, however, I have successfully setup authentication and am now trying to protect a particular route and can't seem to access the relevant data, here's my Firebase rules on my realtime database:
{
"rules": {
"accounts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
},
"demo": {
".read": "accounts.$uid === auth.uid",
".write": true
}
}
}
As you can see, I'm trying to access the accounts/$uid/ from within "demo", it doesn't seem to work, what am I missing/what do I need to change?
Many thanks
UPDATE
The code in question not working is:
".read": "accounts.$uid === auth.uid"
I can't seem to access this part. It doesn't seem to get the current user's authentication status.
UPDATE
See attached screenshot for my attempt on using a predefined variable. I'm simply trying to get the auth status and I'm getting an error saying it's undefined?
The UID of the current user who is trying to access the data is available in auth.uid. If you're trying to ensure that a read of quotes is only allowed if the user has a document in the accounts node, you're looking for exists().
"website-quotes": {
".read": "root.child('accounts').child(auth.uid).exists()"
}

Vue.js Firebase RealTime DB Rules - set rules for property modified by app function

I hae a project database structure :
users
isSuperMan: false
isAdmin: false
info:
givenName: xxxxxx
address: yyyyyy
....
memberships:
2018:
paid: 10
paidOn: 20198-01-01
paymentType: 1
2017:
paid: 10
paidOn: 20198-01-01
paymentType: 1
....
and my current Firebase rules are set to allow a logged user to create/update/delete his own data
{
"rules": {
".read": "auth.uid != null",
".write": false,
"users": {
"$uid": {
".write": "$uid == auth.uid"
}
}
}
}
As I am totally newbie with Firebase rules , I don't see how to set them to handle the following business cases , any help appreciated
I wonder if I should not go for Firestore to handle such cases ?
logged user with Superadmin or Admin role ( true) can read/write ALL DATA
standard logged user can read/write his own info
standard user can read but cannot update/delete memberships
memberships data are written only when logged user is paying it
To give someone with the admin role read access to the whole database, use these rules:
{
"rules": {
".read": "root.child('users').child(auth.uid).child('isAdmin').val() === true"
}
}
This read rule replaces what you currently have, since right now all signed in users can read the entire database.
To then allow each user to read/write their own info, modify the above to:
{
"rules": {
".read": "root.child('users').child(auth.uid).child('isAdmin').val() === true",
"users": {
"$uid": {
".read": "auth.uid === $uid",
".write": "auth.uid === $uid"
}
}
}
}
I highly recommend checking out the Firebase documentation on security rules, specifically the section on securing user data (which covers step two I showed above), as well as the great video explaining security rules.

Lock down the database structure of firebase

I am new to firebase and I am building a small SPA.
I could set the security rules like the following. (Only authenticated user can read or write his own projects.)
{
"rules": {
"users":{
"$uid":{
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
This works fine but when I sign in to my app, inspect the source code and try adding hidden extra objects in project form, firebase still accept it.
In this screenshot, the objects such as blablab, blablabla are added from Chrome's inspect tool.
As the data structure has to be like
users-->userId-->projects-->unquieKey-->project_title
But after I added it, the db structure is messed up.
I want to know that how can I prevent someone sending extra data or spam objects?
When you use this:
{
"rules": {
"users":{
"$uid":{
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
It means only authenticated users can read and write to the database. So every user who was authenticated will be able to send data to the database. To prevent spam, you need to think of a way(maybe a function that prevents user to write specific words to the database)
You can also use validation, that can help a bit:
{
"rules": {
".validate": "newData.isString() && newData.val().length < 100"
}
}
more details here: https://firebase.google.com/docs/database/security/
You can use this:
{
"rules": {
".read": true,
".write": false
}
}
to prevent anyone from sending data

Firebase read and write by user

I'm new to app development I want to make the user read and write his own data from fire base real time database and every user has his own data .
And this are the rules:
{
"rules": {
".read":true,
".write":true
}
}
And here is a pic show what every single user have:
Thanks in advance
You need to separate your data into sections based on the user's UID.
So your data would need to be more like:
userId
DONE_LIST
...
TO_DO_LIST
...
LESSONS
...
And then your rules can be:
{
"rules": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
For more details on Firebase rules, please see https://firebase.google.com/docs/database/security/#section-authorization.

Firebase security, only auth/admin can delete?

I must be missing something obvious?
How do I setup firebase security rules so:
any user can ONLY read and create new data
admin/auth can ALSO delete the data
I can't see anywhere in the documentation the ability to have multiple ".write" rules for the same directory...
{
"rules": {
".read": true,
// this only occurs if "auth === null" otherwise should be full access.
".write": "!data.exists() && newData.exists()"
}
}

Resources