Firebase Realtime Database rules check if string includes value - firebase-realtime-database

This is what my rules look like:
{
"rules": {
"users": {
"$uid": {
".write": "$uid === auth.uid",
".read": "$uid === auth.uid"
}
},
"classes": {
"$classid": {
".read": "root.child('users').child(auth.uid).child('memberOfClasses').child('val').val().matches(*$classid*) || root.child('users').child($uid).child('ownedClasses').child('val').val().matches(*$classid*)",
".write": "root.child('users').child(auth.uid).child('memberOfClasses').child('val').val().matches(*$classid*) || root.child('users').child($uid).child('ownedClasses').child('val').val().matches(*$classid*)"
}
}
}
}
I'm getting Simulation failed - Line 11: syntax error (line 11 is the classes/$classid.read). I'm guessing it has something to do with the regex in .matches(*$classid*)
I'm trying to get it so that if for example users/auth.uid/memberOfClasses or ownedClasses equals something like "154 321 ABC", I would be able to access classes/154, classes/321, and classes/ABC.
What am I doing wrong?

The value that you pass in to matches must be a string literal.
This might work: .matches("*"+$classid+"*")

Related

Firebase your realtime database has insecure rules warning

I have a website that uses Firebase Realtime Database. It usually sends me e-mail about insecure rules warning. I searched about this here and Firebase Documantation, but when I write other rules, it gives me such error:
Error saving rules - Line 10: String can't contain ".", "#", "$", "/", "[", or "]"
{
// Allow anyone to read data, but only authenticated content owners can
// make changes to their data
"rules": {
"some_path/${uid}": {
".read": true,
// or ".read": "auth.uid != null" for only authenticated users
".write": "request.auth.uid == uid"
} SHOWS ME ERROR IS HERE.
}
}
I am using this rules for now:
{
"rules": {
".read": true,
".write": false
}
}
here is one picture that I try one of other rules called Mixed public and private access.
I will be very glad if anyone can help me.
The syntax does not seem correct to refer to a child resource, check below syntax to achieve the desired effect
{
"rules": {
"some_path": {
"$uid": {
".write": "$uid === auth.uid"
}
}
}
}
https://firebase.google.com/docs/database/security

setting rules for a specific attribute in Firebase Realtime database

EDIT: this will also not work if I will set ".read": "true"
in any child or any sub-tree including the rules root (this is not showing here in the examples).
In my app, which manage user's wedding details such as guests, I want to let the guests write to the "arrive" field only if the "invited" field is exists (actually if it will be true , but I checked if it exists just for testing). However, I didn't manage to do this since in the Firebase console it's says that the simulated set is denied :
The rules in the Firebase console:
{
"rules": {
"Users": {
"$uid":{
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
},
".indexOn": "email"
},
"Guests":{
"$uid":{
"$guest_id":{
"arrive":{
".read": "$uid === auth.uid",
".write": "root.child('Guests/'+ $uid + '/' + $guest_id +'/invited').exists()"
}
}
}
}
}
}
The JSON example I wrote in the Rules Playground in the console:
{
"Guests": {
"user_1": {
"guest_1": {
"arrive": false,
"invited": true
}
}
}
}
The location path in the Rules Playground:
/Guests/user_1/guest_1/arrive
I tried several approaches and they didn't work. For example:
".write": "data.parent().child('invited').exists()"
or
".write": "root.child('Guests').child($uid).child($guest_id).child('invited').exists()"

To what extent are the firebase rules of Childs overridden by rules set for 'parents' in the database?

Say topline in the database you allow authorized users to read but Childs of this database entry you only allow authorized users to read their own entry. Will giving the topline ability for all auth users to read invalidate the child rule where auth users can only read their own?
specifically will people and uid invalidate coordinates?
{
"rules": {
"people" : {
".read": "auth.uid != null",
".write": true
,"$uid": {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
, "Education" :{
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"Coordinates" : {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
,"ForReUpload": {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"PhotoPosts": {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"WhatIamConsideringBuying": {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"caption": {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"peopleWhoLike" : {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"peopleWhoLike2" : {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"postID" : {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"users" : {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
}
}
}
}
Yes, any rule that applies at a high level will affect all children under it. Children can not remove access granted at a higher level. I suggest reading the documentation that discuss how read and write rules cascade:
Shallower security rules override rules at deeper paths. Child rules can only grant additional privileges to what parent nodes have already declared. They cannot revoke a read or write privilege.
.read and .write rules work from top-down, with shallower rules overriding deeper rules. If a rule grants read or write permissions at a particular path, then it also grants access to all child nodes under it.

Simulation failed in my firebase database rule

This is my node Jason:
{
"Users' Input History" : {
"TdtIwvAPewRr1l9HY67PfkLBPbn2" : {
"-M-eylUaQcCpoyTLwbhk" : "fate"
}
},
"Users' Vocabulary List" : {
"TdtIwvAPewRr1l9HY67PfkLBPbn2" : {
"-M-eyxRLoCpDftWQ4cDn" : "hardliner"
}
}
}
This "TdtIwvAPewRr1l9HY67PfkLBPbn2" is the uid for a user who can read and write his own value (here, it is "fate") under the "Users' Input History" node, and value (here, it is "hardliner") under the "Users' Vocabulary List" node.
This Jason will go on and on to have multiple users (uids) and their own multiple values. Each new user (uid) will populate under both the "Users' Input History" node and the "Users' Vocabulary List" node, and new values from that new user will populate under the new uid.
For example, I want user A (uid A) to able to read and write only his own values, and cannot read and write values from other users (uid B, C, D and so on), so I wrote my database rule like so:
{
"rules": {
"Users' Input History": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
}
},
"Users' Vocabulary List": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
}
}
However, as in the image below, I'm getting this error saying Simulation failed at line 12: Expected '}'. Note that there's a red mark on line 12 and a ^ mark on line 13.
What I tried:
I added '}' right before "Users' Vocabulary List". That didn't work and then I added right before "$uid". Both led me to the same error message saying: Parse error. I don't know what else I can try. Is my rule wrong and how can I correct it?
Your nested child for "Users' Vocabulary List" looks to be in the wrong place. Move it up inside the "rules" object.
{
"rules": {
"Users' Input History": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
},
"Users' Vocabulary List": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
}
}
}

How do I prevent access to changes after creating a node in Firebase Database?

I have the following case, how can I deny access to update (overwrite) the node if it already exists? For example, the request for additions to friends, I want that, this feature was executed once because it set rules in the database, but they do not work. How can this be fixed?
Rules
// friends
"friends": {
"$ownerID": {
"friendIncomingRequests": {
"$secondUserID": {
".write": "!data.exists()" // Only allow new nominations to be created
}
},
"friendOutgoingRequests": {
"$secondUserID": {
".write": "!data.exists()" // Only allow new nominations to be created
}
}
}
}
Data
"friends" : {
"8OdvaGQfMVdJrlCxdc5pOaj09hy2" : {
"friendOutgoingRequests" : {
"mp9pfsfVQKavwYddjYYPC5Ja9N93" : {
"timeStamp" : 1.495514876872129E9,
"userID" : "mp9pfsfVQKavwYddjYYPC5Ja9N93",
"userName" : "Tim C."
}
}
},
"mp9pfsfVQKavwYddjYYPC5Ja9N93" : {
"friendIncomingRequests" : {
"8OdvaGQfMVdJrlCxdc5pOaj09hy2" : {
"senderID" : "8OdvaGQfMVdJrlCxdc5pOaj09hy2",
"senderName" : "Alexsander K.",
"timeStamp" : 1.495514876872129E9
}
}
}
},
Update
I think the problem is in this code, since I have this code also in the rules. But how can I fix it?
"rules": {
".read": "auth != null",
".write": "auth != null",
}
Update 1: Here are all the rules. I need to make a specific write rule (updates) only in friends. I saw examples that for each individual branch of their rules, but if I need to do some specific rules for one branch, and for the rest of the database you need standard rules how should I do this better?
{
"rules": {
".read": "auth != null",
".write": "auth != null",
// card location
"cardLocation": {
// Allow anyone to read the GeoFire index
//".read": true,
// Index each location's geohash for faster querying
".indexOn": "g",
},
"cards": {
".indexOn": "ownerID"
},
"userListEvents": {
"$uid": {
".indexOn": "isConfirmed"
}
},
"userImages": {
"$uid": {
"userProfileImages": {
".indexOn": "isoDate"
}
}
},
// tags
"userTags": {
"$uid": {
".indexOn": "isSelected"
}
},
// people search
//
"userLocations": {
".indexOn": "g"
},
// friends
"friends": {
"$ownerID": {
"friendIncomingRequests": {
"$secondUserID": {
".write": "!data.exists()"
}
},
"friendOutgoingRequests": {
"$secondUserID": {
".write": "!data.exists()"
}
}
}
}
}
}
I think the problem is in this code, since I have this code also in the rules. But how can I fix it?
"rules": {
".read": "auth != null",
".write": "auth != null",
}
Yes, your thought is correct. Firebase .read and .write rules cascade. So you should put every .read and .write on each child node of your data structure. Something like that:
{
"rules": {
//skip this
"someNode": {
".read": "auth != null",
".write": "auth != null"
},
// friends
"friends": {
"$ownerID": {
"friendIncomingRequests": {
"$secondUserID": {
".write": "!data.exists()"
}
},
"friendOutgoingRequests": {
"$secondUserID": {
".write": "!data.exists()"
}
}
}
}
//...
}
}

Resources