I have a firebase location with all of my app's stored messages as child objects.
I want clients to be able to get each message if they know the id of the message but not download the entire messages table.
What would the security rule for this look like?
Thanks.
You can disallow a read on the parent, but allow reads if the ID is known:
"rules": {
"messages": {
// Disallow enumerating list of messages
".read": false,
".write": false,
"$messageID": {
// If you know the messageID you can read the message.
".read": true,
// Cannot overwrite existing messages (optional).
".write": "!data.exists()"
}
}
}
See https://github.com/firebase/firepano for an example app that uses unguessable URLs for security.
Related
I have a Firebase database that I want to only allow users who have access to that application to be able to read from and write to.
My data structure is like so:
{
"applications": {
"id_1": {
"feature": {
"a": true,
"b": false
},
"users": {
"user_id_1": true,
"user_id_2": true
}
}
}
}
As you can see, each application can have many users who have read/write access.
I only want users in the users object to be able to retrieve that application.
I have rules like so:
{
"rules": {
"applications": {
".read": "auth != null",
".write": "auth != null",
"$appId": {
".write": "data.child('users').child(auth.uid).val() === true",
".read": "data.child('users').child(auth.uid).val() === true"
}
}
}
}
".read": "auth != null", allows any user who is logged in to be able to retrieve all applications. I only want users user_id_1 or user_id_2 to be able to read that application.
In pseudo code, I would do something like this:
{
"rules": {
"applications": {
".read": "only users in `root.applications.$appId.users` can read", // I need to replace `$appId` some how
".write": "auth != null",
"$appId": {
".write": "data.child('users').child(auth.uid).val() === true",
".read": "data.child('users').child(auth.uid).val() === true"
}
}
}
}
How can I restrict it so when user user_id_1 fetches their applications, they only see apps they have access to?
You're hitting a few common problems here, so let's go through them one by one.
1. Security rules can't filter data
You're trying to control in your rule on /applications what application will be returned when a user tries to read that node. Unfortunately that is not possible, because security rules grant all-or-nothing access.
So either the user has access to /applications (and all data under it), or they don't have access to it. You can't set a rule on /applications to grant them access to some child nodes.
In the documentation, this is referred to as rules are not filters and the fact that permission cascades.
2. Avoid nesting data
You're trying to grant access to /applications, but then store two types of data under there for each application. In cases like that, it is usually better to store each type of data as its own top-level list.
So in your case, that'd be:
{
"application_features": {
"id_1": {
"a": true,
"b": false
},
},
"application_users": {
"id_1": {
"user_id_1": true,
"user_id_2": true
}
}
}
This allows you to grant separate access permissions for the application users and its features. While it means you'll have to read from both branches to get all information of each user, the performance difference there is negligible as Firebase pipelines those requests over a single socket
For controlling access and the most scalable data structure, Firebase recommends that you avoid nesting data and flatten your data structure.
3. Model the data in your database to reflect the screens of your app
Since granting anyone access on /applications gives them access to all data under that, you'll likely need another place to store the list of applications for each user.
I usually make this list explicit in my databases, as another top-level list:
{
...
"user_applications": {
"user_id_1": {
"id_1": true
},
"user_id_2": {
"id_1": true
}
}
}
So now when you want to show the list of applications for the current user, you load the IDs from /user_applications/$uid and then look up the additional information for each app with extra calls (which in turn can be pipelined again).
This one is not in the documentation, but a common pattern with NoSQL databases. I recommend checking out my answers to Many to Many relationship in Firebase and Firebase query if child of child contains a value.
my user database contains all users with data like username, rating, description, email.
I want to access all user but, want to set email to be unreadable. Is it possible to set just one property to not be readable?
this is my rule:
"users": {
".indexOn": ["username","id"],
".write": false,
".read": true, //removed
"$user_id":{
"email": {
".read": false,
},
}
},
This is not possible with Firebase Realtime Database. Once a user can read a node, they can read all data inside that node.
You'll want to instead separate the emails into their own top-level node, where you then control access on the entire node.
For more on this see:
How to block reading specific field in child in the firebase
I am having trouble in writing firebase permissions. I want those users if authenticated only write to users section and Everyone else should be able to read or write to any section of the database. Is there any way that I can define rules for every table default to true and restrict only user section to be authenticated or I have to explicitly write rules for every table.
PS. It would be great if someone could guide me what rules should I implement for an app with features for sending and receiving a message with the following structure:
-Chat
-Friends
-Users
-message_notifications
-messages
-notifications
/* Visit https://firebase.google.com/docs/database/security to learn more about security rules. */
"rules": {
"Users":{
"$uid":{
".read": true,
".write": "auth.uid == $uid"
}
}
}
}
Is there any way that I can define rules for every table default to true and restrict only user section to be authenticated?
Once a user has access to data at a certain level in your database, they have access to all data under that level. You cannot revoke this permission on a lower level. So there's no way to give a user access to all data at the root, and then exclude one node.
What you can do is use the $ wildcard rules to create two types of top-level nodes:
{
"rules": {
"Users":{
"$uid":{
".read": true,
".write": "auth.uid == $uid"
}
},
"$others": {
".read": true,
".write": true
}
}
}
With the above rules, users can:
Only read the /Users/$uid node of a user if they know the UID of that user.
Can only write their own /Users/$uid node.
Can read and write all other data.
I'm having issues reading and writing data from my database on the client (my iOS app) using the following database rules:
// Checks auth uid equals database node uid
// In other words, the User can only access their own data
{
"rules": {
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
However, I have no issues reading and writing my data when using the following rule:
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
My goal is to have each user only have the ability to read/write their own data. Any suggestions/help would be appreciated.
EDIT:
When attempting to post I use the following (iOS):
let key = ref?.childByAutoId().key
let post = ["uid": key,
"title": titleField.text,
"description": descField.text]
ref?.child(key!).setValue(post)
When I want to retrieve those data entries, currently I am attempting to retrieve the data entries by looking at the reference point ("task") (in iOS, my database reference is the following):
ref = Database.database().reference().child("task")
ref.observe(.childAdded, with: { (snapshot) in
print(snapshot)
guard let dictionary = snapshot.value as? [String : AnyObject]
else {
return
There are a couple things going on here.
First as Doug answered, your rules have to match your query.
Second, when using childByAutoId() you are creating a random key. Instead you should be using the UID of the logged in user.
And third when reading from the database you have to make sure to read from the location where you have placed your rules. Currently you are trying to read the entire list were there are no rules defined. (When no rules are defined Firebase defaults to false) Instead you should read the child of the list.
You can also take a look at my answer here for some more explenation and links to relevant docs.
Your rules don't match your queries. Your query is accessing documents at a node called "task", but your rules are protecting a node called "posts". You should edit your rules to match the queries you intend to protect.
I am trying to display a list of messages based on the recipient but for now, let's keep it simple. I am just trying to display a list of messages.
My rule looks like this
{
"rules": {
"communications" : {
"$communication":{
".read" : true,
".write": true
}
}
}
For some reason though, my application does not want to read it
fireRef = new Firebase(url);
fireRef.auth(MY_TOKEN);
commsRef = fireRef.child('communications')
$scope.communications = $firebase(commsRef)
It only works if I have a rule looking like
{
"rules": {
"communications" : {
".read" : true,
".write": true
}
}
But that will cause problem as I would like to add condition on the children node of my communication. Something like:
{
"rules": {
"communications" : {
".read" : true, ### I would like to get rid of this line as well and have the child handling it
".write": true,
"$communication":{
".read" : "data.child('to').val() == auth.uid"
}
}
}
I am assuming that is because I have a $firebase on the communications and it needs some read or write rules but how do I get the event when a new message is added otherwise
Thanks
With respect to security rules, Firebase operations are all-or-nothing.
That means that lists of data sent to the client will never be incomplete, or filtered views of the complete server data. As a result, attempting to load all of the data at /communications will fail when using your first set of security rules, even though you do have permission to read some of the data there as governed by the child rule at /communications/$communication.
To handle this use case, consider restructuring your data such that each communication is indexed by recipient, i.e. /communications/$recipient/$communication, which will simplify your security rules.
Additionally, you could even make that bucket read-only by the recipient (i.e. .read: auth.id == $recipient) while allowing anyone to send a message to that user (i.e. .write: auth != null && !data.exists()). That last rule ensures that the sending client is authenticated and writing to a location that does not yet exist, such as a new push id.