In my Firebase security rules, I want anonymous users to be able to read anything except one field (secret_field):
{
"rules": {
".read": true,
".write": "auth != null",
"stuff" : {
"$stuffID" : {
"secret_field" : {
".read" : "auth != null"
}
}
}
}
}
However, in Firebase, if any read rule on the way to secret_field evaluates as true, read access on secret field is granted.
Is there a way to reverse that behavior? (If any read rule on the way to secret_field evaluates to false, disallow read access)
You can't reverse the behavior, but you can solve this by introducing a "container" for the public fields and setting .read to true for it. For example:
{
"rules": {
"stuff" : {
"$stuffID" : {
"public" : {
".read": true
},
"secret_field" : {
".read" : "auth != null"
}
}
}
}
}
And then everything under .../public/ is accessible to everybody but .../secret_field is only accessible for authenticated users.
Related
I had copied exactly as per the details provided in fire base document
enter link description here
for editing the rules as I received a mail from firebase that my clients will not be able to access data. But what ever I had done I am getting an error like "Error saving rules – Line 4: Expected ',' or '}'.
The code I had copied is shown below
{
"rules": {
"some_path/${uid}": {
".read": true,
// or ".read": "auth.uid != null"
".write": "request.auth.uid == uid"
}
}
}
I tried with some other codes in document also, but the result is same.. Will any one tell me what is wrong with this code
You have the syntax for wildcard rules wrong. The rule with a $ needs to be in a level of its own.
So:
{
"rules": {
"some_path": {
"$uid": {
".read": true,
".write": "request.auth.uid == $uid"
}
}
}
}
Note that I also added the $ in the write rule, as you're trying to use the variable named $uid. there.
{
"rules": {
"some_path/${uid}": {
".read": //Your Condition,
".write": //Your Condition
}
}
}
I have a mobile application which reads the data from the firebase server without firebase login/authentication (posts and news) and I want to create an admin webpage where I can log in and add, or modify news, so I need a write permission there. My rules are currently:
{
"rules": {
".read": true,
".write": "auth !== null && ?????
}
}
Can I write something like "user.emailAddress == 'mail#example.com'"?
You can create a users table on database like
{
"users":{
"your UID":{
"isAdmin": true
}
}
}
Then edit rules :
{
"rules": {
".read": true,
".write": "auth.uid != null && root.child("users").child(auth.uid).isAdmin === true"
}
}
You might want to start by reading the documentation about securing user data. There is a lot to know here.
One possibility is using the known user's uid to restrict access. The auth.uid variable contains the uid.
".write": "auth.uid == 'the-known-uid'"
Also you can use auth.token to access some other things about the user, including email address (which may not be present):
".write": "auth.token.email == 'the#email.address'"
You can also use custom authentication tokens, which also is covered in the documentation.
Create database:
{
"users":{
"your UID":{
"isAdmin": true
}
}
}
Set rules:
Wrong:
{
"rules": {
".read": true,
".write": "auth.uid != null && root.child("users").child(auth.uid).isAdmin === true"
}
}
Right:
{
"rules": {
".read": true,
".write": "auth.uid != null && root.child('users').child(auth.uid).child('isAdmin').val() === true"
}
}
I've been messing around with my firebase database rules to try and allow users without authentication to only edit a certain child in my database, but I can't seem to figure it out.
Here is the database structure:
So I'm trying to allow users without authentication to edit the videoID, but not only that, I need the rule to ignore the room id (5555 in this example), meaning it only allows reading and editing of rooms/(roomid)/videoID
Thanks for all kinds of help!
The Firebase Database rules allow variables and can have different rules at different depths.
In your case, the below rules would allow any users (authenticated or not) to access /rooms/$roomid/videoID but only authenticated users to access the entire /rooms/ tree.
{
"rules": {
"rooms": {
".read": "auth != null",
".write": "auth != null",
"$roomid": {
"videoID": {
".read": "true",
".write": "true",
}
}
}
}
}
The Firebase rule simulator (accessible from the Rules tab of the Firebase Database console) is useful for testing rules before publishing:
Maybe something like this :
{
"rules": {
".read": true,
".write": "auth != null",
"rooms": {
"$roomId": {
"videoID": {
".write": true
}
}
}
}
}
It will allow user with authentification to edit another field beside videoID.
But if you want even authentificated user, also can only edit videoID, then the rule is :
{
"rules": {
".read": true,
".write": false,
"rooms": {
"$roomId": {
"videoID": {
".write": true
}
}
}
}
}
Remember, when the rule set true it will not traverse the child rule, But if it set false it will continue inspect the child rules.
I want to create a firebase rule where people can use the database without having to login. But I also want to make a private user node where only the user can acces it by authenticating so far I have something like this. But this trows an error
Error saving rules - Line 6: Expected '}'.
{
"rules": {
".read": true,
".write": "newData.exists()"
},
"test": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid"
}
}
}
I do not understand why the above is not possible
But if I do only:
{
"rules": {
".read": true,
".write": "newData.exists()"
}
}
This wil work so that anyone can use the current data but I want to have something private like "Test" where the people who authenticated themself only have access to
So to be clear I want everyone to use the current database but I also want to have some private parts like test only accesable for registered users
Have a look at https://firebase.google.com/docs/database/security/securing-data
You cannot add an element after "rules". It should be like:
{
"rules": {
...
}
}
and not like
{
"rules": {
....
},
....
}
I have a data structure that adds user's data to their unique id such as follows.
"users" :
{
"user_id":
{
"name":"John Doe",
"email":"email#example.com",
"account":"limited",
"avatar" : "this will be a base64 data string"
}
}
I want to deny users from listing other users and I also want logged in users to access their data based on their "user_id" which is gotten from auth.uid
I had tried some rules:
{
"rules" :
{
"users" :
{
".read" : "false",
".write" : "auth != null && !data.exists() && newData.exists() ",
".validate" : "newData.child('user_id').hasChildren(['name', 'email', 'account','avatar'])",
"user_id" :
{
".read" : "auth.uid === user_id",
".write" : "false",
"avatar" :
{
".write" : "!data.exists() && newData.exists() && auth.uid === user_id",
".read" : "auth.uid === user_id"
}
}
}
}
}
Now keeping in mind that "user_id" can be anything and it changes per user, how can I implement that? Do you have other suggestions on a way I can work this out?
You need to take a close look at the Firebase documentation found here: https://www.firebase.com/docs/security/guide/user-security.html
You need to make use of the wildcard path to represent each user like this:
{
"rules": {
"users": {
"$user_id": { //this is the WILDCARD path
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid"
}
}
}
}
Wildcard paths explanation: https://www.firebase.com/docs/security/api/rule/path.html
Finally, I wouldn't recommend storing the email in this way because it will be available anyway via simpleLogin.