Firebase: permission_denied -- cannot access newData.child() - firebase

This is the structure of my data
{
"projects" : {
"proj1" : {
"-JccS4StrTnJdTficR-u" : {
"name" : "consultation",
"status" : false
},
"-Jd6JlJUfyyZ2U0NTQEs" : {
"name" : "Words",
"status" : false
}
},
"proj2" : {
"-JccS6nwYHRrxvjZtCkt" : {
"name" : "Rework",
"status" : false
},
"-Jd6Jqa7-EPJuWxbtJAV" : {
"name" : "Review",
"status" : false
}
},
"proj3" : {
"-JccSJ5lEBQEg3XCbG-u" : {
"name" : "translation",
"status" : false
}
}
}
}
Here are my rules
{
"rules": {
".read": true,
"projects": {
"proj1": {
".write": "auth != null"
},
"proj2": {
".write": true
},
"proj3": {
".write": true,
".validate": "newData.child('name').isString()
&& newData.child('name').val().length < 10"
}
}
}
}
When I created the database, there was no rule. Now, I've created the rules. I want the length of the name to be less than 10 characters.
When I run the code, I'm getting the following error: FIREBASE WARNING: set at /projects/proj3/-Jd4n6XditTHLWKVmhC6 failed: permission_denied
I can't exactly tell why it's not working. I've also tried just this portion newData.child('name').isString(), but I'm still getting the same error.
Here is the code that push data to FireBase
function saveToFB(taskName, proj) {
// this will save data to Firebase
var project=projTasks.child(proj);
project.push({
name: taskName,
status: false
});
};

Looking at the structure of your data, as well as your rules, it looks like there is a missing level of data between "proj1"/"proj2"/"proj3" and the object that has name and status attributes.
Specifically, the .validate rules you have configured is checking the length of the name attribute for "proj3", not the new element added to the list there.
To get around this, try increasing the depth of the security rules definitions, and make use of the $wildcard functionality, where any security rules key prefixed with $ is treated as a wildcard with a name that you can reuse.
{
"rules": {
".read": true,
"projects": {
"proj1": {
".write": "auth != null"
},
"proj2": {
".write": true
},
"proj3": {
".write": true,
"$someChildElementHere": {
".validate": "newData.child('name').isString()
&& newData.child('name').val().length < 10"
}
}
}
}
}

Related

Securing Firebase RTDB with multiple databases for chat app

I am on the blaze plan and building a chat functionality in my app using Firebase realtime database.
I have 3 databases for now :
Main instance that contains sharding information and users chats' info.
The 2 other instances will contain the chats and messages.
The database structure for the main instance looks like this :
{
"shards" : {
"shard1" : {
"full" : false,
"name" : "shard1",
"num" : 1,
"url" : "shard1Url"
},
"shard2" : {
"full" : false,
"name" : "shard2",
"num" : 0,
"url" : "shard2Url"
}
}
}
And here is the data structure of one of the shard :
{
"users" : {
"user_id_1" : {
"chat_id_1" : true
},
"user_id_2" : {
"chat_id_1" : true
}
},
"chats" : {
"chat_id_1" : {
"created" : true,
"createdAt" : 1645888918717,
"members" : {
"user_id_1" : true,
"user_id_2" : true
},
"name" : "",
"uid" : "chat_id_1",
"updatedAt" : 1645895862214
}
},
"messages" : {
"chat_id_1" : {
"mess_id_1" : {
"content" : "Hello",
"chatID" : "chat_id_1",
"createdAt" : 1645895862214,
"senderID" : "user_id_1",
"uid" : "mess_id_1"
},
"mess_id_2" : {
"content" : "Bye",
"chatID" : "chat_id_1",
"createdAt" : 1645889441313,
"senderID" : "user_id_2",
"uid" : "mess_id_2"
}
}
}
}
I want the following rules to apply :
Reads :
A user can listen for changes under /users/$user_id/ where $user_id is auth.uid
A user can get all the chats from the above IDs when he is in the member map (under /chats/$chat_id)
A user can read all the messages from a chat when he is a member (under /messages/$chat_id)
Writes :
A user can create a chat if there is no data under the chat_id node
A user can update a chat if he is a member under the chat_id
A user can create a message if a chat_id exists and if he is a member under the chat_id and if the senderID matches the auth.uid
A user can delete a message if he is the sender of the message (not sure i can do this with security rules but only client side)
A user can add only an item like {"$chat_id": true} under any other user under /users/$user_id/
So far, here are my rules that are not working :
-> Main shard :
{
"rules": {
"shards": {
".read": "auth.uid != null",
".indexOn": ["full"],
"$shardName": {
"num": {
".write": "auth.uid != null"
},
"$other": {
".write": false
}
}
},
}
}
-> For other shards :
{
"rules": {
"users": {
"$userID": {
".write": "auth.uid != null && !data.exists()",
".read": "auth.uid == $userID",
}
},
"chats": {
"$chat_id": {
".read": "data.child('members/'+auth.uid).exists()",
".write": "(!data.exists() && newData.hasChild('members')) || data.child('members/'+auth.uid).exists()",
}
},
"messages": {
"$chat_id": {
".read": "root.child('chats').child($chat_id).child('members').child(auth.uid).exists()",
".indexOn": ["createdAt"],
"$mess_id": {
".write": "(!data.exists() && newData.child('senderID').val() == auth.uid) || (data.exists() && data.child('senderID').val() == auth.uid)"
}
}
}
}
}
EDIT :
I have made many edit regarding the database structure.
I especially need help with reads rather than writes, as writes seem to be working fine now but i would like confirmation and / or changes if you see mistakes.

How to allow a node to be created, updated and deleted by the creator but not by other users in Firebase?

My app's content is generated by the user. I want each user to access and edit his own data (the nodes he creates). So the user creates a "clips" node and a "clipOwners" node if the nodes are empty and he should also be able also to update any of these nodes and child nodes if he is the owner. Another user shouldn't be able to create a new node if the node pushKey (i.e. "$11111111") is already taken.
Here is my database structure:
clips {
variable Key >>> "111111111111" : {
"MACaddress" : "111111111111",
"comments" : "",
"created" : "Mon Apr 16 2018 12:40:13 GMT+0100 (BST)",
"inRoom" : "-LADDm48Uqabm1bcQGOw",
"ins" : {
"1523878813443" : true
},
"name" : "1",
"outs" : {
"1523878813443" : true
},
"ownerID" : "QpMHsVHHRrMvk92rbSQvcYEv4en1"
},
"222222222222" : {
"MACaddress" : "222222222222",
"comments" : "",
"created" : "Mon Apr 16 2018 12:40:13 GMT+0100 (BST)",
"inRoom" : "-LADDm48Uqabm1bcQGOw",
"ins" : {
"1523878813443" : true
},
"name" : "1",
"outs" : {
"1523878813443" : true
},
"ownerID" : "QpMHsVHHRrMvk92rbSQvcYEv4en1"
}
},
"clipOwners" : {
"111111111111": "QpMHsVHHRrMvk92rbSQvcYEv4en1"
"222222222222": "QpMHsVHHRrMvk92rbSQvcYEv4en1",
}
I am trying this but the "ownerID" child node keeps on being updated by another user if another user tries to write to the same $MACaddress:
"clips": {
".read": "true",
".write": "!data.exists() || newData.exists()",
"$MACaddress":{
"ownerID": {
".validate": "!data.exists() || newData.val() === root.child('clipOwner').child($MACaddress).val()",
}
}
},
"clipOwners": {
".read": true,
".write": "newData.exists()",
"$MACaddress": {
},
Why is it behaving like that?
Any ideas on how I can lock this thing?
In your current write rules you only check if data (not) exists. In this answer i will only focus on the write rules to make sure you can't have duplicate keys (see clipOwners rules) and you can only write to your own data (see clips rules):
"clipOwners": {
".read": true,
"$MACaddress": {
//Only create or delete are possible and value is the user uid
".write": "(!data.exists() || !newData.exists()) && (newData.val() == auth.uid || data.val() == auth.uid)"
}
},
"clips": {
".read": "true",
"$MACaddress":{
//The $MACaddress has to exist in the clipOwners node and its value has to be the user uid
".write": "root.child('clipOwners/'+$MACaddress).exists() && root.child('clipOwners/'+$MACaddress).val() == auth.uid"
}
}
When writing you first have to write the $MACaddress in the clipOwners node because this will be used to check if the user can write to the clips node.
You can take a look at these docs for a simular case.

Firebase security rules, data variable

I have a database schema like this:
Posts
unverified
post_1
post_2
...
And here is a shortened list of data in /posts/unverified path
{
"-L7xmY2HMeEImDZnZqTf" : {
"categorie" : 0,
"commonFields" : {...},
"fbKey" : "-L7YM7vEf8RpcxGUTpDE",
"images" : [...],
"specialFields" : {
"area" : "150",
"productPrice" : {
"currency" : "dollar",
"value" : "65000"
},
"requestType" : "sell",
"requesterType" : "personal",
"roomCount" : 3,
"suburbia" : "false"
},
"subCat" : 0,
"timestamp" : 1521011840178,
"uid" : "Fo5f6VonWgQVpsf6u80TPgoi2it2"
},
"-L7YNUZPL1-Dl7EhScEE" : {...},
"-L7YNUZPL1-fdfasfa" : {...},
"-L7YNUZPL1-ljljklfd" : {...},
"-L7YNUZPL1-lkjlkjfas" : {...},
}
And a firebase security rules defined as below
{
"rules": {
"posts": {
"unverified": {
".indexOn": "timestamp",
".read": "data.child('uid').val() === auth.uid"
As the rules show, I want to read unverified posts if the users id equal to the uid field in the post data
But every time i use the rules simulator ( or test the with the codes ) with the below configuration, its' giving Simulated read denied error
Thanks for your helps
Your .read rule is defined on /posts/unverified and checks a child called uid. So the total path is /posts/unverified/uid.
You're trying to read /posts/unverified/-L7xmY2HMeEImDZnZqTf. And the UID value is defined on /posts/unverified/-L7xmY2HMeEImDZnZqTf/uid.
The two paths don't match. You need to add a wildcard in your rules:
{
"rules": {
"posts": {
"unverified": {
".indexOn": "timestamp",
"$postid": {
".read": "data.child('uid').val() === auth.uid"

firebase web - update database where a certain value is found

My database looks as below :
I need to update the division_name where the index_num is 3.
I tried the following code but it did not work -
var division_index_found="3";
var division_name_given="new div";
var query_update=firebase.database().ref("/divisions")
.orderByChild('index_num').equalTo(division_index_found);
query_update.once("child_added", function(snapshot) {
snapshot.ref.update({ division_name: division_name_given });
});
What approach to adopt here ?
EDIT1:
I get warning in chrome console :
FIREBASE WARNING: Using an unspecified index. Consider adding ".indexOn": "index_num" at /divisions to your security rules for better performance
EDIT2:
From the firebase database the districts node (?) looks like :
"districts" : {
"-KbVYCSO8wrMoXD3vL81" : {
"district_name" : "Rangpur",
"division_index" : "3",
"index_num" : 2
},
"-KbVYHgbWMDMtGsnmvei" : {
"district_name" : "jessore",
"division_index" : "3",
"index_num" : 3
},
"-KbVYKtSnPMFDkx9z0cU" : {
"district_name" : "district 1",
"division_index" : "3",
"index_num" : 4
}
}
Now I want to update district_name for a certain index_num and division_index. I use the following code :
var district_index="3";
var division_index="3"
var district_index_parsed = parseInt(district_index);
var query_update=firebase.database().ref("/districts")
.orderByChild('index_num').equalTo(district_index_parsed);
query_update.once("child_added", function(snapshot) {
snapshot.forEach(function(snapshot_indiv){
if(parseInt(snapshot_indiv.division_index)==parseInt(division_index)){
var district_name_again="new district name";
snapshot_indiv.ref.update({ district_name: district_name_again },function(error){
});
}// end of if division_index compare
});// end of forEach
});// end of query_update once
But the console shows :
Uncaught Error: No index defined for index_num
at je.get (firebase-database.js:94)
...
...
at edit_districts.php:359
...
which ultimately hints at the following line of code in my edit_districts.php file:
snapshot.forEach(function(snapshot_indiv){
inside the query_update.once part.The forEach method seems to make the problem.
And the security rules are defined as
{
"rules": {
".read": "auth != null",
".write": "auth != null",
"divisions": {
".indexOn": "index_num"
},
"districts": {
".indexOn": "index_num"
},
}
}
How to get rid of the error to update the database ?
You'll need to add an index to your Firebase Database security rules. I recommend reading the Firebase documentation on security rules, specifically the section on indexes.
From the documentation comes this first sample:
{
"rules": {
"dinosaurs": {
".indexOn": ["height", "length"]
}
}
}
Modified to your data structure, it'll look something like this:
{
"rules": {
"divisions": {
".indexOn": "index_num"
}
}
}

Using Firebase RuleDataSnapshot Methods to access user data

If I have data like this:
root{
PrivateRooms{
<PrivateRoomName>{
...
}
}
users{
<uid>{
permissionFrom{
<PrivateRoomName>:value is not private room name
}
...
}
}
}
...how do I write rules to grant access to < PrivateRoomName > based on the user's permissionFrom children?
I thought this would work:
{
"rules": {
"PrivateRooms" : {
"$roomName":{
".read" : "root.child('users').child(auth.uid).child('permissionFrom').hasChild('$roomName') == true",
".write" : "root.child('users').child(auth.uid).child('permissionFrom').hasChild('$roomName') == true"
}
},
"users" : {
".read" : true,
".write" : true
}
}
}
...but something must be wrong with the rules as this data snapshot is skipped over:
var testRef = new Firebase('https://my.firebaseio.com/privateRooms/<privateRoomName>/privRoomChild');
testRef.once("value", function(snapshot){
var testVal = snapshot.val();
console.log(testVal);
});
In your rules, $roomName is a variable, so it should not be wrapped in quotes.
"$roomName":{
".read" : "root.child('users').child(auth.uid).child('permissionFrom').hasChild($roomName)",
".write" : "root.child('users').child(auth.uid).child('permissionFrom').hasChild($roomName)"
}

Resources