Develop Reference

Firebase Realtime Database Security Rules for prevent create/delete not working

I saw in several places that the way to prevent create and delete was with data.exists() && newData.exists(). But when I implement them in these rules, I can still create and delete to my liking when I'm logged in. What am I doing wrong? My goal is to let authenticated users update, but not create or delete.
"rules": {
"listings": {
".read": true,
".write": "data.exists() && newData.exists() && auth != null",
},
}

My guess is that you want to allow the user to update a specific listing, and not all listings at once.
In that case you should define the .write rule on each specific listing:
"rules": {
"listings": {
".read": true,
"$listingid": {
".write": "data.exists() && newData.exists() && auth != null",
}
},
}
So with this, a user can update any existing listing, but not all listings at one.

Firebase IOS - Impersonate User

I am wanting to add to my iOS app the ability for sysadmin to login as another user as some bugs can only be recreated with certain users accounts and data.
I see the SDK has a custom token login (https://firebase.google.com/docs/auth/ios/custom-auth) can than be utilised.
I tried getting a token using firebase admin sdk
(https://firebase.google.com/docs/auth/admin/create-custom-tokens#python)
However that token when passed in via the SDK is rejected as being invalid.
Is this possible or do I have to implement this in a different way ? , currently my firebase rules are along these lines.
"rules": {
"users":
{
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid"
}
},
"races":
{
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid"
}
},
Do I simply need to redefine the rules to allow for a superuser access and then within the app use that users userid?

Simulation failed in my firebase database rule

This is my node Jason:
{
"Users' Input History" : {
"TdtIwvAPewRr1l9HY67PfkLBPbn2" : {
"-M-eylUaQcCpoyTLwbhk" : "fate"
}
},
"Users' Vocabulary List" : {
"TdtIwvAPewRr1l9HY67PfkLBPbn2" : {
"-M-eyxRLoCpDftWQ4cDn" : "hardliner"
}
}
}
This "TdtIwvAPewRr1l9HY67PfkLBPbn2" is the uid for a user who can read and write his own value (here, it is "fate") under the "Users' Input History" node, and value (here, it is "hardliner") under the "Users' Vocabulary List" node.
This Jason will go on and on to have multiple users (uids) and their own multiple values. Each new user (uid) will populate under both the "Users' Input History" node and the "Users' Vocabulary List" node, and new values from that new user will populate under the new uid.
For example, I want user A (uid A) to able to read and write only his own values, and cannot read and write values from other users (uid B, C, D and so on), so I wrote my database rule like so:
{
"rules": {
"Users' Input History": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
}
},
"Users' Vocabulary List": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
}
}
However, as in the image below, I'm getting this error saying Simulation failed at line 12: Expected '}'. Note that there's a red mark on line 12 and a ^ mark on line 13.
What I tried:
I added '}' right before "Users' Vocabulary List". That didn't work and then I added right before "$uid". Both led me to the same error message saying: Parse error. I don't know what else I can try. Is my rule wrong and how can I correct it?

Your nested child for "Users' Vocabulary List" looks to be in the wrong place. Move it up inside the "rules" object.
{
"rules": {
"Users' Input History": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
},
"Users' Vocabulary List": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
}
}
}

firebase realtime database rules, give access to user to access another user data

i want to give access to users profile to specific users that are set by the users themselves
in this rules i want to let $userid to be able to access $user_id data
(if $user_id exist in allow_list/$userid/), i tried root.child('allow_list/'+auth.uid+'/$user_id').exists())" but its not working
this is my rules for now, not working
"users_private": {
"$user_id": {
".write": "auth != null && $user_id === auth.uid",
".read":"(auth != null) && ($user_id === auth.uid
|| root.child('allow_list/'+auth.uid+'/$user_id').exists())"
}
},
"allow_list":{
"$userid": {
//ignore these rules they are working
".read":"auth != null && $userid === auth.uid" ,
"$user_id": {
".write": "($userid == auth.uid || $user_id == auth.uid )&&
( $userid!=$user_id)",
}
}
},

I found out how, hope this help someone.
I added .child, so the rule will be like this:
|| root.child('allow_list/'+auth.uid+'/').child($user_id).exists())

Firebase security not working

Need help understanding what wrong with the "Tracking" rule. I'm able to read that data even though it's marked as .read : false.
{
"rules": {
"User": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid"
}
},
"Purchase": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid"
}
},
"Parm": {
".read": true,
".write": false
},
"Tracking": {
".read": false,
".write": true
}
}
}
This is being done on an IOS app. Here’s the code:
Firebase *ref = [FBase referenceForTrackingDeviceId:sysparm.deviceId];
[ref observeSingleEventOfType:FEventTypeValue withBlock:^(FDataSnapshot *snapshot) {
if (snapshot.exists) {
DLog(#"got it");
} else {
DLog(#"No data");
}
}];
From the debugger:
(lldb) po ref https://<My-Firebase>/Tracking/E8C0C8FB-DE20-4017-9C74-3A6DAD6D4DC7 (lldb) po snapshot.exists YES