I'm still starting out with firebase and i'm using angularfire to connect.
I was able to do the authentication successfully using google as a provider and I logged in using my account and got back my user details including uid & image, however, when I attempt to retrieve any data I get: permission_denied at /series: Client doesn't have permission to access the desired data. I also tried the simulator and got the same issue.
Here's my database:
My rules:
The data I entered in the simulator. I got the uid after signing in using google in the app:
And the result after using the simulator:
Here's where I got my UID from: (The authentication tab)
What am I supposed to be doing but not doing?
Finally found the answer. As cartant wrote
there are no read permissions granted, as .read defaults to false
all I needed to do was to ".read": "auth != null"
So the new rules are:
{
"rules": {
"series": {
".read": "auth != null", << THAT WAS MISSING
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
Related
I'm not sure whether the title of this is appropriate as I'm new to Firebase Authentication and rules, however, I have successfully setup authentication and am now trying to protect a particular route and can't seem to access the relevant data, here's my Firebase rules on my realtime database:
{
"rules": {
"accounts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
},
"demo": {
".read": "accounts.$uid === auth.uid",
".write": true
}
}
}
As you can see, I'm trying to access the accounts/$uid/ from within "demo", it doesn't seem to work, what am I missing/what do I need to change?
Many thanks
UPDATE
The code in question not working is:
".read": "accounts.$uid === auth.uid"
I can't seem to access this part. It doesn't seem to get the current user's authentication status.
UPDATE
See attached screenshot for my attempt on using a predefined variable. I'm simply trying to get the auth status and I'm getting an error saying it's undefined?
The UID of the current user who is trying to access the data is available in auth.uid. If you're trying to ensure that a read of quotes is only allowed if the user has a document in the accounts node, you're looking for exists().
"website-quotes": {
".read": "root.child('accounts').child(auth.uid).exists()"
}
I hae a project database structure :
users
isSuperMan: false
isAdmin: false
info:
givenName: xxxxxx
address: yyyyyy
....
memberships:
2018:
paid: 10
paidOn: 20198-01-01
paymentType: 1
2017:
paid: 10
paidOn: 20198-01-01
paymentType: 1
....
and my current Firebase rules are set to allow a logged user to create/update/delete his own data
{
"rules": {
".read": "auth.uid != null",
".write": false,
"users": {
"$uid": {
".write": "$uid == auth.uid"
}
}
}
}
As I am totally newbie with Firebase rules , I don't see how to set them to handle the following business cases , any help appreciated
I wonder if I should not go for Firestore to handle such cases ?
logged user with Superadmin or Admin role ( true) can read/write ALL DATA
standard logged user can read/write his own info
standard user can read but cannot update/delete memberships
memberships data are written only when logged user is paying it
To give someone with the admin role read access to the whole database, use these rules:
{
"rules": {
".read": "root.child('users').child(auth.uid).child('isAdmin').val() === true"
}
}
This read rule replaces what you currently have, since right now all signed in users can read the entire database.
To then allow each user to read/write their own info, modify the above to:
{
"rules": {
".read": "root.child('users').child(auth.uid).child('isAdmin').val() === true",
"users": {
"$uid": {
".read": "auth.uid === $uid",
".write": "auth.uid === $uid"
}
}
}
}
I highly recommend checking out the Firebase documentation on security rules, specifically the section on securing user data (which covers step two I showed above), as well as the great video explaining security rules.
I'm new to using Firebase (I'm using react-redux-firebase, but not sure if that's relevant to this question). I'm having an issue using these standard auth rules:
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
This is user UID as shown in the Firebase Authentication dashboard:
But if I print out the data associated with the profile/account, I get this UID:
Because of this mismatch, the logged in user is unable to read or write to the firebase instance.
Why is there a mismatch in UIDs? How can I solve this issue?
UPDATE:
It looks like the 1091103… UID is provider-specific and not relevant in this case? Can't confirm that for sure.
This may be the actual auth UID (I'm new to this, so still trying to figure out what's what):
In this case, this UID matches what is seen in the Firebase console. If they match, then what would be the cause of the permission denied errors?
ANOTHER UPDATE:
Here's the user node. You can see the UID as the key:
This is the rule you can do right now
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
if you want to check like below
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
you need to store the users to realtime database while register. with their auth.uid as key.
Github repo https://github.com/JesseSoldat/Around-The-World-NG2-Firebase
Firebase JSON data exported to a file is in the repo FIREBASE_DATA.json
I have been trying to figure out the firebase database rule. I have read many articles and they all say that I need to do something like this
{
"rules": {
"locations": {
"$uid": {
".read": "true",
".write": "$uid === auth.uid"
}
},
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
I have structured my data with two directories
locations READ - all users WRITE - only the user that owns this data
users READ / WRITE - only the user that owns this data
When I set these rules my currently logged in user does not see their data anymore.
DATABASE
my format for saving users/${this.uid}/stories
I was using the UID as a way to make each user unique in the database.
ERROR MESSAGE from Firebase
Error: permission_denied at /users/HBTaJt057Bf63oS771gah1allYe2/stories: Client doesn't have permission to access the desired data.
I am not sure if I don't understand the concept or if I am missing some minor detail. Any ideas would be truly appreciated.
Regards,
Jesse
My app allows anyone to write a new message (the message cannot be updated or deleted), which should then only be visible to authenticated users. The authenticated users can edit the data (which will include things like flag as important, etc.). Think of the app like a private suggestion box (anyone can submit a suggestion but only the admins can view the submitted suggestions). I'm using the Firebase simulator and the following fails but it shouldn't:
Firebase Simulator
Write
Location: messages/
Authenticated: false
Data (JSON)
{
"key": "value"
}
Firebase Database Rules
{
"rules": {
"messages": {
"$message": {
".read": "auth !== null",
".write": "!data.exists() || auth !== null",
},
},
"users": {
".read": "auth !== null",
".write": "auth !== null"
}
}
}
I think that's because you're testing with messages/ whereas only writes to messages/{message-id} would be allowed. Try writing to messages/somethingrandom.