This is my node Jason:
{
"Users' Input History" : {
"TdtIwvAPewRr1l9HY67PfkLBPbn2" : {
"-M-eylUaQcCpoyTLwbhk" : "fate"
}
},
"Users' Vocabulary List" : {
"TdtIwvAPewRr1l9HY67PfkLBPbn2" : {
"-M-eyxRLoCpDftWQ4cDn" : "hardliner"
}
}
}
This "TdtIwvAPewRr1l9HY67PfkLBPbn2" is the uid for a user who can read and write his own value (here, it is "fate") under the "Users' Input History" node, and value (here, it is "hardliner") under the "Users' Vocabulary List" node.
This Jason will go on and on to have multiple users (uids) and their own multiple values. Each new user (uid) will populate under both the "Users' Input History" node and the "Users' Vocabulary List" node, and new values from that new user will populate under the new uid.
For example, I want user A (uid A) to able to read and write only his own values, and cannot read and write values from other users (uid B, C, D and so on), so I wrote my database rule like so:
{
"rules": {
"Users' Input History": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
}
},
"Users' Vocabulary List": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
}
}
However, as in the image below, I'm getting this error saying Simulation failed at line 12: Expected '}'. Note that there's a red mark on line 12 and a ^ mark on line 13.
What I tried:
I added '}' right before "Users' Vocabulary List". That didn't work and then I added right before "$uid". Both led me to the same error message saying: Parse error. I don't know what else I can try. Is my rule wrong and how can I correct it?
Your nested child for "Users' Vocabulary List" looks to be in the wrong place. Move it up inside the "rules" object.
{
"rules": {
"Users' Input History": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
},
"Users' Vocabulary List": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
}
}
}
Related
I have a website that uses Firebase Realtime Database. It usually sends me e-mail about insecure rules warning. I searched about this here and Firebase Documantation, but when I write other rules, it gives me such error:
Error saving rules - Line 10: String can't contain ".", "#", "$", "/", "[", or "]"
{
// Allow anyone to read data, but only authenticated content owners can
// make changes to their data
"rules": {
"some_path/${uid}": {
".read": true,
// or ".read": "auth.uid != null" for only authenticated users
".write": "request.auth.uid == uid"
} SHOWS ME ERROR IS HERE.
}
}
I am using this rules for now:
{
"rules": {
".read": true,
".write": false
}
}
here is one picture that I try one of other rules called Mixed public and private access.
I will be very glad if anyone can help me.
The syntax does not seem correct to refer to a child resource, check below syntax to achieve the desired effect
{
"rules": {
"some_path": {
"$uid": {
".write": "$uid === auth.uid"
}
}
}
}
https://firebase.google.com/docs/database/security
This is what my rules look like:
{
"rules": {
"users": {
"$uid": {
".write": "$uid === auth.uid",
".read": "$uid === auth.uid"
}
},
"classes": {
"$classid": {
".read": "root.child('users').child(auth.uid).child('memberOfClasses').child('val').val().matches(*$classid*) || root.child('users').child($uid).child('ownedClasses').child('val').val().matches(*$classid*)",
".write": "root.child('users').child(auth.uid).child('memberOfClasses').child('val').val().matches(*$classid*) || root.child('users').child($uid).child('ownedClasses').child('val').val().matches(*$classid*)"
}
}
}
}
I'm getting Simulation failed - Line 11: syntax error (line 11 is the classes/$classid.read). I'm guessing it has something to do with the regex in .matches(*$classid*)
I'm trying to get it so that if for example users/auth.uid/memberOfClasses or ownedClasses equals something like "154 321 ABC", I would be able to access classes/154, classes/321, and classes/ABC.
What am I doing wrong?
The value that you pass in to matches must be a string literal.
This might work: .matches("*"+$classid+"*")
EDIT: this will also not work if I will set ".read": "true"
in any child or any sub-tree including the rules root (this is not showing here in the examples).
In my app, which manage user's wedding details such as guests, I want to let the guests write to the "arrive" field only if the "invited" field is exists (actually if it will be true , but I checked if it exists just for testing). However, I didn't manage to do this since in the Firebase console it's says that the simulated set is denied :
The rules in the Firebase console:
{
"rules": {
"Users": {
"$uid":{
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
},
".indexOn": "email"
},
"Guests":{
"$uid":{
"$guest_id":{
"arrive":{
".read": "$uid === auth.uid",
".write": "root.child('Guests/'+ $uid + '/' + $guest_id +'/invited').exists()"
}
}
}
}
}
}
The JSON example I wrote in the Rules Playground in the console:
{
"Guests": {
"user_1": {
"guest_1": {
"arrive": false,
"invited": true
}
}
}
}
The location path in the Rules Playground:
/Guests/user_1/guest_1/arrive
I tried several approaches and they didn't work. For example:
".write": "data.parent().child('invited').exists()"
or
".write": "root.child('Guests').child($uid).child($guest_id).child('invited').exists()"
I have a database tree like so
users
-UID
--items
---all the data
I would like to add something under UID like shared:another-UID and allow the other UID to read and write everything under items.
For example:
users
-UID
--shared:different_UID
--items
---all the data
My current rules are like this
{
"rules": {
"users": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid"
}
}
}
}
How would I change my rules to allow this?
In that case your rules would become:
{
"rules": {
"users": {
"$uid": {
".read": "auth != null && (auth.uid == $uid || data.child('shared').val() === auth.uid)",
".write": "auth != null && (auth.uid == $uid || data.child('shared').val() === auth.uid)"
}
}
}
}
So in words: the user can read/write this data if the key is the same as their user ID, or if their user ID is stored in the shared property under the data.
I have the following case, how can I deny access to update (overwrite) the node if it already exists? For example, the request for additions to friends, I want that, this feature was executed once because it set rules in the database, but they do not work. How can this be fixed?
Rules
// friends
"friends": {
"$ownerID": {
"friendIncomingRequests": {
"$secondUserID": {
".write": "!data.exists()" // Only allow new nominations to be created
}
},
"friendOutgoingRequests": {
"$secondUserID": {
".write": "!data.exists()" // Only allow new nominations to be created
}
}
}
}
Data
"friends" : {
"8OdvaGQfMVdJrlCxdc5pOaj09hy2" : {
"friendOutgoingRequests" : {
"mp9pfsfVQKavwYddjYYPC5Ja9N93" : {
"timeStamp" : 1.495514876872129E9,
"userID" : "mp9pfsfVQKavwYddjYYPC5Ja9N93",
"userName" : "Tim C."
}
}
},
"mp9pfsfVQKavwYddjYYPC5Ja9N93" : {
"friendIncomingRequests" : {
"8OdvaGQfMVdJrlCxdc5pOaj09hy2" : {
"senderID" : "8OdvaGQfMVdJrlCxdc5pOaj09hy2",
"senderName" : "Alexsander K.",
"timeStamp" : 1.495514876872129E9
}
}
}
},
Update
I think the problem is in this code, since I have this code also in the rules. But how can I fix it?
"rules": {
".read": "auth != null",
".write": "auth != null",
}
Update 1: Here are all the rules. I need to make a specific write rule (updates) only in friends. I saw examples that for each individual branch of their rules, but if I need to do some specific rules for one branch, and for the rest of the database you need standard rules how should I do this better?
{
"rules": {
".read": "auth != null",
".write": "auth != null",
// card location
"cardLocation": {
// Allow anyone to read the GeoFire index
//".read": true,
// Index each location's geohash for faster querying
".indexOn": "g",
},
"cards": {
".indexOn": "ownerID"
},
"userListEvents": {
"$uid": {
".indexOn": "isConfirmed"
}
},
"userImages": {
"$uid": {
"userProfileImages": {
".indexOn": "isoDate"
}
}
},
// tags
"userTags": {
"$uid": {
".indexOn": "isSelected"
}
},
// people search
//
"userLocations": {
".indexOn": "g"
},
// friends
"friends": {
"$ownerID": {
"friendIncomingRequests": {
"$secondUserID": {
".write": "!data.exists()"
}
},
"friendOutgoingRequests": {
"$secondUserID": {
".write": "!data.exists()"
}
}
}
}
}
}
I think the problem is in this code, since I have this code also in the rules. But how can I fix it?
"rules": {
".read": "auth != null",
".write": "auth != null",
}
Yes, your thought is correct. Firebase .read and .write rules cascade. So you should put every .read and .write on each child node of your data structure. Something like that:
{
"rules": {
//skip this
"someNode": {
".read": "auth != null",
".write": "auth != null"
},
// friends
"friends": {
"$ownerID": {
"friendIncomingRequests": {
"$secondUserID": {
".write": "!data.exists()"
}
},
"friendOutgoingRequests": {
"$secondUserID": {
".write": "!data.exists()"
}
}
}
}
//...
}
}