in my Firebase application want to apply different RULES for different data.
ex: my data are
ContactUs
-Ksdasda4sd
name: "Ram"
email: "ram#gmail.com"
message: "Hello how are u"
HotelLocation
-Ksdaseeesd
name: "Hotel Name"
address: "Near Highway"
city: "Bangalore"
without login ContactUs data can be read write by public,where HotelsLocations can be read and write after login only.
on this configuration both need authentication.
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
can is it possible
This is the configuration.
{
"rules": {
"contactme" : {
".read": "auth != null",
".write": "true"
},
"HotelLocation" : {
".read": "auth != null",
".write": "auth != null"
}
}
}
Related
appreciate this looks like this is been answered various times for individual requirements. Completely new to Firebase and I want to get some insight into this. I have been presented with the message from Firebase.
We've detected the following issue(s) with your security rules:
any logged-in user can read your entire database
any logged-in user can write to your entire database
My current rules look like this:
{
"rules": {
".read": "auth != null",
".write": "auth != null",
"items": {
".indexOn": "ownerId"
},
"events": {
".indexOn": "ownerId"
},
"contacts": {
".indexOn": "ownerId"
}
}
}
Based on the documentation, Do I simply need to do this?
{
"rules": {
".read": "auth != null && auth.uid == $uid"
".write": "$user_id === auth.uid",
"items": {
".indexOn": "ownerId"
},
"events": {
".indexOn": "ownerId"
},
"contacts": {
".indexOn": "ownerId"
}
}
}
Will users still be able to access their own (previously) written data prior to making the change while enforcing the security rules from Firebase.
Apologies if this a silly question, but got a lot of data which I cannot let users not have access to.
Thanks
As firebase documentation says:
Sometimes, Rules check that a user is logged in, but don't further restrict access based on that authentication. If one of your rules includes auth != null, confirm that you want any logged-in user to have access to the data.
So you have to get rid of this part down under the rules part:
".read": "auth != null",
".write": "auth != null",
And use any of these approaches: Content owner only, Path-delineated access or Mixed public and private access.
For example:
{
"rules": {
"products": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid",
".indexOn": ["creatorId", "isActive"]
}
},
"stores": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid",
".indexOn": ["creatorId", "isActive"]
}
},
"orders": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid",
}
},
}
}
I get PERMISSION_DENIED: Permission denied when try to create an user:
{
"rules": {
".read": true,
".write": "auth != null",
"users": {
"$uid": {
".read": true,
".write": "auth.uid == $uid",
".validate": "
newData.child('user').isString() &&
newData.child('user').val().length > 3
"
}
}
}
}
user is string, has more than 3 letters. But I think it has something to do with the id.
I create an user with createUserWithEmailAndPassword and try to insert it on database:
firebase.database().ref('users/' + userID).set({
username: username,
email: email
});
The userID is the id createUserWithEmailAndPassword returns...
Any ideas what is wrong?
You problem comes from the .validate part: with your rules you need to write a node as follows
firebase.database().ref('users/' + userID).set({
user: username, // <-- see here we have a user sub-node
email: email
});
Or you need to change your rules as follows:
{
"rules": {
".read": true,
".write": "auth != null",
"users": {
"$uid": {
".read": true,
".write": "auth.uid == $uid",
".validate": "
newData.child('username').isString() &&
newData.child('username').val().length > 3
"
}
}
}
}
I have a childnode in my database
Posts --> tapCount.
My default Firebase rules only allow someone to write to a node under 'Posts' when they are signed in. However I need write access to just this one node 'tapCount' even when they are not signed in.
I'm having trouble getting a rule to help me do this. Any thoughts ? Thanks
{
"rules": {
".read": "auth != null",
".write": "auth != null",
"Posts": {
".indexOn": ["userId","category"],
"tapCount": {
".read": true,
".write": true
},
".read": true,
".write": "auth != null",
}
}
I have a Firebase with a security config like this:
{
"rules": {
"serviceproviders": {
".read": "auth != null",
".write": "auth != null"
},
"bookings": {
".read": "auth != null",
".write": true,
".validate": "newData.hasChildren(['phone', 'time', 'date', 'apikey'])",
"apikey": {
// only allow valid apikey
".validate": "root.child('serviceproviders/' + newData.val()).exists()"
}
},
"status": {
".read": "auth != null",
".write": true
}
}
}
The idea is that users can only post /bookings/ with a valid apikey, that is, an apikey that can be found in /serviceproviders/.
In the Firebase simulator, this works as expected. However, when I use curl from the terminal, or Javascript from a html page, I get error: permission denied back from Firebase. I send exactly the same data (copy & paste).
My curl command looks like this:
$ curl -X POST -d '{"phone":"004512345678", "date":"2014-07-31","time":"10:00","apikey":"AA227D80-122C-4E5D-AEDF-24A829FA6403"}' https://example.firebaseIO.com/bookings/.json
And I get back:
{
"error" : "Permission denied"
}
OK, so after many hours of pulling my hair, I realized that in the guide on Firebase.com, the ".validate" rules are inside a block denoting the ID under that path, thus:
{
"rules": {
"serviceproviders": {
".read": "auth != null",
".write": "auth != null"
},
"bookings": {
".read": "auth != null",
".write": true,
"$bookings_id": {
"apikey": {
// only allow valid apikey
".validate": "root.child('serviceproviders/' + newData.val()).exists()"
},
".validate": "newData.hasChildren(['apikey','date','time','phone'])"
}
},
"status": {
".read": "auth != null",
".write": true
}
}
}
works as expected, because of the "$bookings_id" block.
So I have this application where anonymous users are allowed to write but not read a specific path. They are posting data to a moderated message board kind of thing.
But with my current security rules, they are allowed to overwrite existing data as well. How can I disallow updates and allow only new posts.
My current security rules:
{
"rules": {
".read": "auth != null",
".write": "auth != null",
"inbox" : {
".write": true,
},
"moderated" : {
".read": true,
},
}
}
Use data.exists() to determine if the object they're trying to write already exists:
{
"rules": {
".read": "auth != null",
".write": "auth != null",
"inbox" : {
"$post" : {
".write": "!data.exists()",
}
},
"moderated" : {
".read": true,
},
}
}