I want to check if a user is listed in a subfolder, maybe a simple question but I can't figure out the syntax
I tried something like:
"group": {
"$groupId": {
".write": "data.child('admins').child(???).val()==auth.uid",
}
}
db structure:
Related
I am facing a puzzling situation with Realtime Database Rules.
The rules below are working, they allow me to write data to FirstCollection:
{
"rules": {
"FirstCollection": {
".read": true,
"$Section": {
".write": "(auth!=null)"
}
}
}
}
This second set of rules used to work until yesterday, and it no longer works:
{
"rules": {
"FirstCollection": {
".read": true,
"$Section": {
".write": "(auth!=null)&&((auth.uid=='98ab..myOwnUID..23YZ')||(auth.uid=='98ab..aSecondUID..23YZ'))"
}
}
}
}
I have checked everything I could think about including the exact value of myOwnUID.
Can any experienced user spot the issue or any mistake I could be making (or could have made)?
Here is the issue I was having. The rules have in fact nothing wrong.
What happens is that the code in my app is creating a new user with the auth.createUserWithEmailAndPassword API function. And since this function has the "annoying side effect" of signing in as the newly created user, when I then hit the rules in the flow of the app my auth.uid is no longer what I expect it to be, thus explaining why the rules fires.
I've created a list of banned users in my realtime Database and I want to make them impossible to log-in, I know I can use the database rules, but I don't know how, can someone help me?
This is my database structure:
/banned-users:
/UserId1:True
/UserId2:True
Those are my database rules:
{
"rules": {
".read": true,
".write": true
}
}
You need to reference data in other paths as follows:
{
"rules": {
"thepath": {
".read": "root.child('banned-users').child(auth.uid).val() !== true"
".write": "root.child('banned-users').child(auth.uid).val() !== true"
}
}
}
Note that actually you don't "make them impossible to log-in", because this is not possible, but you prevent them writing to/reading from your database.
I have the following rules for my database. My database structure is as follows in the database
My rules for my database are as follows:
{
"rules": {
"Users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
If I do a query to read the books under a user or add a new book under a user, will this rule still apply and only allow users who have a correct user id to add the book? Or will I need to drill down to Books and add that rule? Something like...
Permission cascades downwards in the database. So once a user has read or write permission on /Users/$uid they also have that same permission on the Books node under there.
For more on this, see the documentation on read and write permissions cascase.
I m using firebase Database .Planning to have quite a large data collection , I'm trying to use indexes . Making some tests, i don t know if rules i implement are correct let alone improve the queries .Is there a way to have a feedback on those indexations (correct or not, improve or not)
right now i have one class as described in the picture and i have the created the following rule
{
"rules": {
".read": true,
".write": true,
"users": {
"$user_id": {
".indexOn": ["user_id", "username"]
}
},
}
Since i get no feedback from firebase, i don t know if this is correct and improves anything .
Firebase's server-side rules are meaningless without seeing the code that exercises them.
But at a first glance it seems you're defining your indexes too low in the tree: indexes need to be defined at the location where you run the query. So if you want to run a query on /users, you need to define the indexes on /users:
{
"rules": {
".read": true,
".write": true,
"users": {
".indexOn": ["user_id", "username"]
}
}
}
This is a rough example of what my database looks like.
"userA": {
"uf": {
"userB": "0"
}
},
"users": {
"userA": "0",
"userB": "0",
"userC": "0"
}
And this is a rough example of the rule I am trying to write.
//USER ID
"$uid": {
//USER FRIENDS
"uf": {
//FRIEND USER ID
"$fuid": {
".write": "$uid === auth.uid &&
root.child('users').hasChild($fuid)",
}
},
},
And this is what I am trying to get working in the simulator
//Location /userA/uf/
//Data { "userC": "0" }
It seems that the security rule will always deny a write when the "key" for a data key value pair is a variable in my rules, in this case "$fuid". The simulator will return the messages "Simulated set denied" and "Write denied" but won't give me any additional details. I could get around this by writing the following.
//Simulation Method set
//Location /userA/uf/userC/
//Data { "0": "0" }
But this feels like it's writing unnecessary data to my database. What is the best practice here? Thanks.
Your rules give access to {uid}/uf/{fuid} but you're trying to write at {uid}/uf.
That {"0": "0"} is indeed unnecessary, you can just write "0".
If you want to write multiple friends at once, you can perform a multipath update, or modify your rules to allow writing directly at {uid}/uf and ".validate" the children.
Side note: if your users can be deleted, if user A has user B as a friend and user B is deleted, your rules won't allow user A to remove user B from the friends list. You should take care of that by changing the rules to allow the deletion of friends that do not exist, or by setting up an onDelete() triggered cloud function that would do the cleanup.