Need help understanding what wrong with the "Tracking" rule. I'm able to read that data even though it's marked as .read : false.
{
"rules": {
"User": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid"
}
},
"Purchase": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid"
}
},
"Parm": {
".read": true,
".write": false
},
"Tracking": {
".read": false,
".write": true
}
}
}
This is being done on an IOS app. Here’s the code:
Firebase *ref = [FBase referenceForTrackingDeviceId:sysparm.deviceId];
[ref observeSingleEventOfType:FEventTypeValue withBlock:^(FDataSnapshot *snapshot) {
if (snapshot.exists) {
DLog(#"got it");
} else {
DLog(#"No data");
}
}];
From the debugger:
(lldb) po ref https://<My-Firebase>/Tracking/E8C0C8FB-DE20-4017-9C74-3A6DAD6D4DC7 (lldb) po snapshot.exists YES
Related
Say topline in the database you allow authorized users to read but Childs of this database entry you only allow authorized users to read their own entry. Will giving the topline ability for all auth users to read invalidate the child rule where auth users can only read their own?
specifically will people and uid invalidate coordinates?
{
"rules": {
"people" : {
".read": "auth.uid != null",
".write": true
,"$uid": {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
, "Education" :{
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"Coordinates" : {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
,"ForReUpload": {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"PhotoPosts": {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"WhatIamConsideringBuying": {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"caption": {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"peopleWhoLike" : {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"peopleWhoLike2" : {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"postID" : {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
,"users" : {
".read": "auth.uid != null",
".write": "$uid === auth.uid"
}
}
}
}
}
Yes, any rule that applies at a high level will affect all children under it. Children can not remove access granted at a higher level. I suggest reading the documentation that discuss how read and write rules cascade:
Shallower security rules override rules at deeper paths. Child rules can only grant additional privileges to what parent nodes have already declared. They cannot revoke a read or write privilege.
.read and .write rules work from top-down, with shallower rules overriding deeper rules. If a rule grants read or write permissions at a particular path, then it also grants access to all child nodes under it.
I have a database tree like so
users
-UID
--items
---all the data
I would like to add something under UID like shared:another-UID and allow the other UID to read and write everything under items.
For example:
users
-UID
--shared:different_UID
--items
---all the data
My current rules are like this
{
"rules": {
"users": {
"$uid": {
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid"
}
}
}
}
How would I change my rules to allow this?
In that case your rules would become:
{
"rules": {
"users": {
"$uid": {
".read": "auth != null && (auth.uid == $uid || data.child('shared').val() === auth.uid)",
".write": "auth != null && (auth.uid == $uid || data.child('shared').val() === auth.uid)"
}
}
}
}
So in words: the user can read/write this data if the key is the same as their user ID, or if their user ID is stored in the shared property under the data.
i want to give access to users profile to specific users that are set by the users themselves
in this rules i want to let $userid to be able to access $user_id data
(if $user_id exist in allow_list/$userid/), i tried root.child('allow_list/'+auth.uid+'/$user_id').exists())" but its not working
this is my rules for now, not working
"users_private": {
"$user_id": {
".write": "auth != null && $user_id === auth.uid",
".read":"(auth != null) && ($user_id === auth.uid
|| root.child('allow_list/'+auth.uid+'/$user_id').exists())"
}
},
"allow_list":{
"$userid": {
//ignore these rules they are working
".read":"auth != null && $userid === auth.uid" ,
"$user_id": {
".write": "($userid == auth.uid || $user_id == auth.uid )&&
( $userid!=$user_id)",
}
}
},
I found out how, hope this help someone.
I added .child, so the rule will be like this:
|| root.child('allow_list/'+auth.uid+'/').child($user_id).exists())
I have the following case, how can I deny access to update (overwrite) the node if it already exists? For example, the request for additions to friends, I want that, this feature was executed once because it set rules in the database, but they do not work. How can this be fixed?
Rules
// friends
"friends": {
"$ownerID": {
"friendIncomingRequests": {
"$secondUserID": {
".write": "!data.exists()" // Only allow new nominations to be created
}
},
"friendOutgoingRequests": {
"$secondUserID": {
".write": "!data.exists()" // Only allow new nominations to be created
}
}
}
}
Data
"friends" : {
"8OdvaGQfMVdJrlCxdc5pOaj09hy2" : {
"friendOutgoingRequests" : {
"mp9pfsfVQKavwYddjYYPC5Ja9N93" : {
"timeStamp" : 1.495514876872129E9,
"userID" : "mp9pfsfVQKavwYddjYYPC5Ja9N93",
"userName" : "Tim C."
}
}
},
"mp9pfsfVQKavwYddjYYPC5Ja9N93" : {
"friendIncomingRequests" : {
"8OdvaGQfMVdJrlCxdc5pOaj09hy2" : {
"senderID" : "8OdvaGQfMVdJrlCxdc5pOaj09hy2",
"senderName" : "Alexsander K.",
"timeStamp" : 1.495514876872129E9
}
}
}
},
Update
I think the problem is in this code, since I have this code also in the rules. But how can I fix it?
"rules": {
".read": "auth != null",
".write": "auth != null",
}
Update 1: Here are all the rules. I need to make a specific write rule (updates) only in friends. I saw examples that for each individual branch of their rules, but if I need to do some specific rules for one branch, and for the rest of the database you need standard rules how should I do this better?
{
"rules": {
".read": "auth != null",
".write": "auth != null",
// card location
"cardLocation": {
// Allow anyone to read the GeoFire index
//".read": true,
// Index each location's geohash for faster querying
".indexOn": "g",
},
"cards": {
".indexOn": "ownerID"
},
"userListEvents": {
"$uid": {
".indexOn": "isConfirmed"
}
},
"userImages": {
"$uid": {
"userProfileImages": {
".indexOn": "isoDate"
}
}
},
// tags
"userTags": {
"$uid": {
".indexOn": "isSelected"
}
},
// people search
//
"userLocations": {
".indexOn": "g"
},
// friends
"friends": {
"$ownerID": {
"friendIncomingRequests": {
"$secondUserID": {
".write": "!data.exists()"
}
},
"friendOutgoingRequests": {
"$secondUserID": {
".write": "!data.exists()"
}
}
}
}
}
}
I think the problem is in this code, since I have this code also in the rules. But how can I fix it?
"rules": {
".read": "auth != null",
".write": "auth != null",
}
Yes, your thought is correct. Firebase .read and .write rules cascade. So you should put every .read and .write on each child node of your data structure. Something like that:
{
"rules": {
//skip this
"someNode": {
".read": "auth != null",
".write": "auth != null"
},
// friends
"friends": {
"$ownerID": {
"friendIncomingRequests": {
"$secondUserID": {
".write": "!data.exists()"
}
},
"friendOutgoingRequests": {
"$secondUserID": {
".write": "!data.exists()"
}
}
}
}
//...
}
}
What's wrong with this? It says
Error saving rules - Line 12: Expected '{'.
Which regards the .body line, right after the :
{
"rules": {
".read": "auth != null",
".write": "auth != null",
"v1": {
"v2": {
"$v3": {
"v4": {
"$v5": {
".body": "newData.isString() && newData.val().length > 0 && newData.val().length < 10"
}
}
}
}
}
}
}
I got it.
The last part should have been
"body": {
".validate": "newData.isString() && newData.val().length > 0 && newData.val().length < 10"
}