Why can I write to `/users` with these Firebase Database rules? - firebase

I have read the Google Firebase Database Security Rules documentation and I implemented this following rule in my rules file:
{
"rules": {
"users": {
"$user": {
".read": "auth.uid === $user",
".write": "auth.uid === $user"
}
}
}
}
The problem is that testing it in the simulator I saw that I can read and write everything in users, like there is no rule.
Is that a Firebase Database problem? How can I solve it?
Here is my test:
Here is the link of the documentation: https://firebase.google.com/docs/reference/security/database/#variables

The rules in your screenshot are different from the ones you posted before.
In Firebase Database security model, permissions cascades down: once you give a user read or write permission on a node, you cannot take that permission away on a lower level. See the documentation on security rules for more information.
If you remove the top-level ".write": "auth !== null", you will find that you can no longer write to /users and can only write to /users/uid123 if you're user uid123.

Related

Having Confusion in Firebase Rules for my App

I am having trouble in writing firebase permissions. I want those users if authenticated only write to users section and Everyone else should be able to read or write to any section of the database. Is there any way that I can define rules for every table default to true and restrict only user section to be authenticated or I have to explicitly write rules for every table.
PS. It would be great if someone could guide me what rules should I implement for an app with features for sending and receiving a message with the following structure:
-Chat
-Friends
-Users
-message_notifications
-messages
-notifications
/* Visit https://firebase.google.com/docs/database/security to learn more about security rules. */
"rules": {
"Users":{
"$uid":{
".read": true,
".write": "auth.uid == $uid"
}
}
}
}
Is there any way that I can define rules for every table default to true and restrict only user section to be authenticated?
Once a user has access to data at a certain level in your database, they have access to all data under that level. You cannot revoke this permission on a lower level. So there's no way to give a user access to all data at the root, and then exclude one node.
What you can do is use the $ wildcard rules to create two types of top-level nodes:
{
"rules": {
"Users":{
"$uid":{
".read": true,
".write": "auth.uid == $uid"
}
},
"$others": {
".read": true,
".write": true
}
}
}
With the above rules, users can:
Only read the /Users/$uid node of a user if they know the UID of that user.
Can only write their own /Users/$uid node.
Can read and write all other data.

Firebase Authenticated but data not able read or write

I have implemented Firebase authentication with Gmail, Facebook,Twitter.
I have successfully logged in firebase, Then i have changed Database Authentication rules to below.
{
"rules": {
".read": false,
".write": false
}
}
In firebase console it is showing login users list but while retrieve data it is showing permission denied. Could you please help me to resolve this issue?
if i change above settings to true i can able to read and write data.
Setting both to false will deny read/write access to all users. You can use the auth syntax in your security rules to identify whether or not a user is logged in.
For example, to allow read/write access for logged in users only your rules would look like -
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
As the name (Database Authentication rules) suggests, these rules are for your Firebase-Database, that who should be allowed to read and write the data on your database and who should not be.
So, in your case, what have you done is- You've set both read and write to false. This means no one will be able to either read or write to your database. And that's what is happening (You're not able to write to the database).
But, when you set both of them to true, then everyone will be able to read and write.
So, if you want everyone to be able to read and write to your database, then your rules will look like this:
{ "rules": {
".read": true,
".write": true"
}}
If you want nobody to be able to read and write to your database, like temporary disabling your website or app:
{ "rules": {
".read": false,
".write": false"
}}
If you want everyone to be able to read your database but want only authenticated members to be able to write to your database like they've purchased the premium account and now they can edit the site, then the rules would be:
{ "rules": {
".read": true,
".write": "auth != null"
}}
If you want only authenticated members to be able to read and write to your database, then the rules would be:
{ "rules": {
".read": "auth != null",
".write": "auth != null"
}}
And if you want to explore more about how this stuff works. Then here is the link to official documentation: Understanding Firebase Database Rules

Permission denied with Firebase

I want users of my app to have access to see profile of other users that is accessed via real-time database. I'm referencing to db via
ref.once('users/'+uid, snapshot => snapshot.child('users/'+uid).val())
Rules i have:
{
"rules": {
"users": {
".read": true,
"$uid": {
".write": "$uid === auth.uid"
},
},
}
I don't get why i can't access users/:uid even though simulator gives success message by ticking read and running simulation on <firebaseURL>/users.
If i set ".read": true" under rules it does allow me to read the data, but that may bait me later on if i would want to implement stuff that i don't want to be available to unauthorized users.
Edit (solution):
The problem was with referencing to firebase. Instead of firebase.database.ref('users') I was referencing too root itself by firebase.database.ref().
That reference caused to apply default read/write rules.
You could give ".read": "auth != null" to allow all authorised users to read data under users object and prevent unauthorised users from reading it.

How to grant write access to only a person within Rules?

I am little bit confused about setting permissions in Rules section of my Firebase database.
I am working on an app (which is a Book actually) and the app must be updated by only one person with this email address: someone#gmail.com. Therefore the rest of people, either authenticated or not, must not be able to modify the contents, but they are allowed to read.
If you look at the Firebase Security Rules API, you'll see that the user's email address (if there is one) is made available via auth.token.email.
So to grant write access to the entire database to the user with the someone#gmail.com email address and read access to everyone else, you could define rules like this:
{
"rules": {
".read": true,
".write": "auth !== null && auth.token.email === 'someone#gmail.com'"
}
}
Said rules would grant read access to everyone. If you wanted to grant read access only to authenticated users, you could use:
{
"rules": {
".read": "auth !== null",
".write": "auth !== null && auth.token.email === 'someone#gmail.com'"
}
}

In Firebase security rules how can you stop hackers running a script for signup to your website? bare in mind I need them to be able to signup

In Firebase security rules how can you stop hackers running a script for signup to your website? bare in mind I need them to be able to signup externally on my homepage so I cannot say they need to be logged in.
I know the basic settings from reading Firebase security documentation but I'm worried its not secure enough, especially if someone new my firebase app url to write or read to the database.
In addition it would be good to know the basics I should have so I can check if I do have those.
Currently I have these settings:
{
"rules": {
"users": {
".read": "auth != null",
".write": true,
".indexOn": ["uid", "region"]
}
}
}
Users can write as I need them to sign up but cannot read unless then are logged in. Also have some indexes for performance reasons.
This is where my knowledge stops.
Thanks in advance!
You want to allow users to write, but only to their own user entry. That's actually easy to do with rules:
{
"rules": {
"users": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
". write": "auth != null && auth.uid == $uid"
}
}
}
}
This says /user/{$uid} can only be read or written by a user who is signed in, and who's user ID matches the {$uid} part of the path. Take a look at the rules quickstart for more.

Resources