I am not able to make the security rules in Firebase database working although the simulator shows they are in place.
A simple example:
{
"rules": {
"items":{
"$itemid":{
".read":true,
".write":"newData.child('id').isNumber()"
}
}
}
}
For above rules when I try posting an item from simulator with text value in 'id' it gives proper error as expected.
For Url: /items/-sdsd123
And for data: {"id":"MAC1", "name":"Macbook Pro"}
It gives write denied error in simulator as 'id' is not number.
However after publishing the rules and trying from code or browser data editor it allows the id to be text value. Below works:
var key = db.ref("/items").push().key;
db.ref('/items/' + key).set({"id":"MAC1", "name":"Macbook Pro"});
I am missing something basic but not able to figure it out, kindly help.
Related
match /UserProfile {
match /{uId}{
allow get: if isUserLoggedIn() && !isUserBlocked(uId);
}
when i try to get data from UserProfile/{uId} using the above security rules it throws the following error in the firestore and in code it says insufficient permissions:
Error running simulation — Error: simulator.rules line [199], column [28]. Function not found error: Name: [get].
now the definition of above two function are here
function isUserLoggedIn(){
return request.auth != null;
}
function isUserBlocked(uId){
return (('blocked' in get(/databases/$(database)/documents/UserSettings/$(uId)).data) && (request.auth.uid in get(/databases/$(database)/documents/UserSettings/$(uId)).data.blocked));
}
the first function runs very well
but the second one doesn't
it throws that error
and as of my knowledge the function is alright
please help i have wasted a whole lot of time on this piddly problem
what i have tried
i read in one of the threads that it is a temporary problem
but it is not like that. its been more than 48 hours now
somewhere it was also mentioned that this is a bug only in simulator but the code will run smoothly and even this is not the case. in code the error is insufficient permissions as expected by me
i have read the docs properly so my code is alright have tested the get method in other rules and there it is working fine
thats it please help
Update: The errors are a bug in the rules simulator, see Doug's comment below.
I tried out your rules and they worked as expected in the simulator.
Rules:
match /UserProfile {
function isUserLoggedIn(){
return request.auth != null;
}
function isUserBlocked(uId){
return (('blocked' in get(/databases/$(database)/documents/UserSettings/$(uId)).data) && (request.auth.uid in get(/databases/$(database)/documents/UserSettings/$(uId)).data.blocked));
}
match /{uId}{
allow get: if isUserLoggedIn() && !isUserBlocked(uId);
}
}
Test query in simulator:
get /UserProfile/foo
Authenticated: Yes
Firebase UID: bar
The request succeeds or fails based on the UserSettings/foo document in the database:
Denies request:
/UserSettings/foo
{
content: "my content"
blocked: { bar: true }
}
Allows request:
/UserSettings/foo
{
content: "my content"
blocked: { otheruser: true }
}
I think that errors can pop up when the data doesn't exist or isn't in the expected format.
For example, if I delete the /UserSettings/foo document I also receive:
Error: simulator.rules line [58], column [28]. Function not found error: Name: [get].
I also get this error if the blocked field is anything other than a map (because in is a function for maps):
Error: simulator.rules line [58], column [95]. Function not found error: Name: [in].
You can probably clean up these errors by using exists and checking the type of blocked but either way, your rules should still deny the request as expected.
I posted a question about this yesterday but I'm creating a new one with more details.
Firestore .setData is blocked by update rule not create
I've run the simulator and the rules work there. Also when I create the document and change setData in the swift code to update the code works. It appears to only fail when creating the document. But the catch is that when I remove the update rule or simply change it to allow update: if false; the setData (or seen as create by the rules) executes properly. I have no clue whats going on nor do I know of any tools for getting a better insight.
match /users_real/{userID} {
allow create: if true;
allow read: if isOwner(userID);
allow update: if (request.writeFields.size() == 1);
}
set data:
self.docRef.collection("users_real").document("adfadsf").setData(post) { (error) in
if let error = error {
print("He dead!: \(error.localizedDescription)")
}
else {
print("it worked, for now")
}
}
Firebase Support confirms that there is a bug related to the evaluation of request.writeFields.size(). No estimate was given of when it will be fixed.
The existence of the bug can be demonstrated with the following rules:
service cloud.firestore {
match /databases/{database}/documents {
match /cities/{city} {
// This should always evaluate to true, but does not.
allow create: if (request.writeFields.size() == 1) || (request.writeFields.size() != 1);
allow update: if true;
}
}
}
Although the create rule should always evaluate to true, an attempt to create a city fails with Permission Denied. It seems that the problem with request.writeFields affects not only the rule in which it appears, but also other rules for the path. For the rules shown above, an attempt to update an existing city also fails with Permission Denied.
I'm writing a simple Firebase app. All of the logic is now working, but I'm trying to write some security rules to at least stop someone messing up all my data.
I don't track users or authenticate them, my app is to be usable by anyone without a login.
I have a list of soccer players in this format:
Player
-results
-0
-1
-2
-3
Each of the results has a field called Points which I want to be writable, but a field called Name which I do not want to be writable.
I have implemented the following rules:
{
"rules": {
".read":true,
"Player" : {
"results": {
"$results_id": {
".read":true,
"Name":{
".read":true,
".write":false
},
"Points":{
".read":true,
".write":true,
}
}
}
}
}
}
But when use the simulator to write { "Points" : 2} to /Player/results/1 I get an error message:
Attempt to write {"Points":2} to /Player/results/1 with auth=null
/
/Player
/Player/results
/Player/results/1
No .write rule allowed the operation.
Write was denied.
I thought that $record_id was a wildcard that would match the ID, clearly I'm wrong, but could someone please explain this to me?
Just like with read operations, where you need read permission at the level where you read, with write operations you need permission at the level where you write.
You're executing a write to /Player/results/1, which is not allowed.
You are allowed to write to /Player/results/1/Points. So if you change the operation to write /Player/results/1/Points with value 2 it will be allowed.
UPDATE: I got the issue fixed, it was due to my Meteor Publish setting I had to change it to return Links.find(); and then filter the correct data in my links list return Links.find({topicId: this._id}, {sort:{submitted: -1}});
So I'm getting some very weird issue and I'm really stuck.
I have the following route setup
this.route('linkEdit', {
path: '/link/:_id/edit',
data: function() {
console.log(this.params);
console.log(this.params._id);
console.log(Links.findOne(this.params._id));
return Links.findOne(this.params._id)
}
});
So this.params is fine I'm getting - [_id: "LiAiifzPHmMR23tg3", hash: undefined]
For this.params._id - I'm getting the correct ID, LiAiifzPHmMR23tg3
But for Links.findOne(this.params._id) - I'm getting undefined
However when I check mongodb I have a link with that ID.
Also if I add an alert, while the alert is popping up the template renders the data but then re-renders and I'm getting blank data as it can't find the correct link ID.
That's because your collection query is a bit off, you'll want to change that to the following:
Links.findOne({_id: this.params._id});
Im using firebase and for some reason my code is not pushing data and im not seeing the data in the firebase url. My code is this
var chatref = new Firebase('https://flockedin.firebaseio.com/');
chatref.push({ ChatId: $('#conversationId').text(), User: $('#username').html(), Message: $('#txtchat').val() }, function (response) { if (response) { alert('saved'); } });
i get the alert 'saved' but i cant find the data in firebase url.
Also what is the use of API Key that is given for each url in the firebase.
UPDATE:This happens in IE10. In other browsers it works fine
IE10 seems to be working for me. Can you give more details about what version you are using (desktop / tablet / phone?).
Also, is it possible that your jquery selectors were returning null? If all of the values in the object that you set evaluate to null, Firebase treats it like a call to remove. See the note in the docs for set: https://www.firebase.com/docs/javascript-client/firebase/set.html
Try going to your FireBase Console->Database->Rules and set them to:
{
"rules": {
".read": true,
".write": true
}
}
Make sure your app is not public when you do this. Lmk if it helps.