Github repo https://github.com/JesseSoldat/Around-The-World-NG2-Firebase
Firebase JSON data exported to a file is in the repo FIREBASE_DATA.json
I have been trying to figure out the firebase database rule. I have read many articles and they all say that I need to do something like this
{
"rules": {
"locations": {
"$uid": {
".read": "true",
".write": "$uid === auth.uid"
}
},
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
I have structured my data with two directories
locations READ - all users WRITE - only the user that owns this data
users READ / WRITE - only the user that owns this data
When I set these rules my currently logged in user does not see their data anymore.
DATABASE
my format for saving users/${this.uid}/stories
I was using the UID as a way to make each user unique in the database.
ERROR MESSAGE from Firebase
Error: permission_denied at /users/HBTaJt057Bf63oS771gah1allYe2/stories: Client doesn't have permission to access the desired data.
I am not sure if I don't understand the concept or if I am missing some minor detail. Any ideas would be truly appreciated.
Regards,
Jesse
Related
I am working on the app that I need to connect to the dev firebase.
This firebase has database rules as follows:
"rules": {
// no read access at root level
".read": "auth.uid === 'emailaddressgmailcom'",
".write": false,
What I cannot understand is how auth.uid is specified to be an exact email address?
As far as I tried I only get unique uid provided by Google. (set of numbers and letters)
Hence I can never pass the auth to read from the database, unless I specify my exact uid given by Google in the databse rules, which is not an option because there will be another user who needs an access to db and I do not know his uid.
auth is one of the predefined variables.
By doing auth.uid, you get the user id ("guaranteed to be unique across all providers").
You need, in your Security Rules to use it to defined the access rights of a given user to one or more given resources, as explained here in the doc.
You could compare it to a fixed value, if a certain resource shall be read by a unique user:
".read": "auth.uid === 'HGH656675FHGFGHF3454'"
but usually you compare it to some parts of the path of the node/resource you want to protect, like for example:
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid"
}
}
}
}
This is how you should do to solve your problem "there will be another user who needs an access to db and I do not know his uid".
I would suggest you read the entire section about RTDB Security Rules form more details: https://firebase.google.com/docs/database/security
Please try below rules
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
// These rules grant access to a node matching the authenticated
// user's ID from the Firebase auth token
I'm not sure whether the title of this is appropriate as I'm new to Firebase Authentication and rules, however, I have successfully setup authentication and am now trying to protect a particular route and can't seem to access the relevant data, here's my Firebase rules on my realtime database:
{
"rules": {
"accounts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
},
"demo": {
".read": "accounts.$uid === auth.uid",
".write": true
}
}
}
As you can see, I'm trying to access the accounts/$uid/ from within "demo", it doesn't seem to work, what am I missing/what do I need to change?
Many thanks
UPDATE
The code in question not working is:
".read": "accounts.$uid === auth.uid"
I can't seem to access this part. It doesn't seem to get the current user's authentication status.
UPDATE
See attached screenshot for my attempt on using a predefined variable. I'm simply trying to get the auth status and I'm getting an error saying it's undefined?
The UID of the current user who is trying to access the data is available in auth.uid. If you're trying to ensure that a read of quotes is only allowed if the user has a document in the accounts node, you're looking for exists().
"website-quotes": {
".read": "root.child('accounts').child(auth.uid).exists()"
}
I hae a project database structure :
users
isSuperMan: false
isAdmin: false
info:
givenName: xxxxxx
address: yyyyyy
....
memberships:
2018:
paid: 10
paidOn: 20198-01-01
paymentType: 1
2017:
paid: 10
paidOn: 20198-01-01
paymentType: 1
....
and my current Firebase rules are set to allow a logged user to create/update/delete his own data
{
"rules": {
".read": "auth.uid != null",
".write": false,
"users": {
"$uid": {
".write": "$uid == auth.uid"
}
}
}
}
As I am totally newbie with Firebase rules , I don't see how to set them to handle the following business cases , any help appreciated
I wonder if I should not go for Firestore to handle such cases ?
logged user with Superadmin or Admin role ( true) can read/write ALL DATA
standard logged user can read/write his own info
standard user can read but cannot update/delete memberships
memberships data are written only when logged user is paying it
To give someone with the admin role read access to the whole database, use these rules:
{
"rules": {
".read": "root.child('users').child(auth.uid).child('isAdmin').val() === true"
}
}
This read rule replaces what you currently have, since right now all signed in users can read the entire database.
To then allow each user to read/write their own info, modify the above to:
{
"rules": {
".read": "root.child('users').child(auth.uid).child('isAdmin').val() === true",
"users": {
"$uid": {
".read": "auth.uid === $uid",
".write": "auth.uid === $uid"
}
}
}
}
I highly recommend checking out the Firebase documentation on security rules, specifically the section on securing user data (which covers step two I showed above), as well as the great video explaining security rules.
I'm new to app development I want to make the user read and write his own data from fire base real time database and every user has his own data .
And this are the rules:
{
"rules": {
".read":true,
".write":true
}
}
And here is a pic show what every single user have:
Thanks in advance
You need to separate your data into sections based on the user's UID.
So your data would need to be more like:
userId
DONE_LIST
...
TO_DO_LIST
...
LESSONS
...
And then your rules can be:
{
"rules": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
For more details on Firebase rules, please see https://firebase.google.com/docs/database/security/#section-authorization.
I'm still starting out with firebase and i'm using angularfire to connect.
I was able to do the authentication successfully using google as a provider and I logged in using my account and got back my user details including uid & image, however, when I attempt to retrieve any data I get: permission_denied at /series: Client doesn't have permission to access the desired data. I also tried the simulator and got the same issue.
Here's my database:
My rules:
The data I entered in the simulator. I got the uid after signing in using google in the app:
And the result after using the simulator:
Here's where I got my UID from: (The authentication tab)
What am I supposed to be doing but not doing?
Finally found the answer. As cartant wrote
there are no read permissions granted, as .read defaults to false
all I needed to do was to ".read": "auth != null"
So the new rules are:
{
"rules": {
"series": {
".read": "auth != null", << THAT WAS MISSING
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}