Definition of firebase security rules

Question

Definition of firebase security rules

Asked 6 years, 8 months ago

Viewed 1,785 times

1

How can I define a safety rule that:

Allow read and write access to recipes if the logged in user is the user who registered it
Allow read access to recipes if the tipo for true
Do not allow read and write access to recipes if the logged in user is not the user who registered it
Allow read and write access to users if the username and password sent are the same registered (login), I imagine something with newData
How to allow reading of the user name, not to allow two users with the same name, in the most secure way possible

Data structure:

{
  "receitas" : {
    "-L7bAaMB-vaJhri6r-lg" : {
      "imagem" : "default",
      "ingrediente" : [ "teste" ],
      "nome" : "teste",
      "preparo" : "teste",
      "tipo" : false,
      "usuario": "-L7WxcAHr8LkfJAiI8ku"
    },
    "-L7bAqvMu8uOoY6nX5Tx" : {
      "imagem" : "example.png",
      "ingrediente" : [ "teste2" ],
      "nome" : "teste2",
      "preparo" : "teste2",
      "tipo" : true,
      "usuario": "-L7WxcAHr8LkfJAiI8ku"
    }
  },
  "usuarios" : {
    "-L7WxcAHr8LkfJAiI8ku" : {
      "senha" : "123456789",
      "usuario" : "guilherme"
    },
    "-L7bAk3EcsoOQapV9zsb" : {
      "senha" : "123456789",
      "usuario" : "patricia"
    }
  }
}

Show the rules you currently have.

– Rosário Pereira Fernandes

2018/03/15 at 23:27
@Rosáriopereirafernandes currently my rules are public (read and write are true)

– Costamilam

2018/03/15 at 23:27
Points 1 and 3 say the same thing ..

– Rosário Pereira Fernandes

2018/03/15 at 23:28
@Rosáriopereirafernandes I know that, but to keep it very clear...

– Costamilam

2018/03/15 at 23:29
At point 4, do you talk about reading and writing at which node? Recipes or users?

– Rosário Pereira Fernandes

2018/03/15 at 23:36
user, refers to login

– Costamilam

2018/03/15 at 23:37
Point 4 is not yet clear. You can give examples of what is allowed and what is not?

– Rosário Pereira Fernandes

2018/03/15 at 23:53
Point 4 is just a way for two users to register the same data and connect to each other’s account, so you can’t have two equal user names

– Costamilam

2018/03/15 at 23:58

Show 3 more comments

1 answer

Browser other questions tagged firebase security-guard realtime-database

You are not signed in. Login or sign up in order to post.

by Rosário Pereira Fernandes • **1,086** points · Answer 1 · 2018-03-15T23:53:14+00:00

1.To verify if the logged-in user is the user who registered the revenue, the variable is used auth.uid and the newData (in the case of writing) or data (in reading). That would be:

"receitas":{
            "$idReceita":{
                ".write":"auth.uid == newData.child('usuario').val()",
                ".read":"auth.uid == data.child('usuario').val()"
            }
        }

2.Just add one more condition in the read that checks the type: ".read":"auth.uid == data.child('usuario').val() || data.child('tipo').val() == true"

5.With the current structure, it is not possible to have unique names in the database. For this, I recommend that you create a new node (I will call "names") where you will have all the names as keys, because keys are unique and cannot be repeated. That knot would look like this:

{
    "nomes":{
        "guilherme":true,
        "patricia":true
    }
}

Thus, the rule not to repeat names would be:

".validate":"root.child('nomes').child(newData.child('usuario').val()).val() != true"

And then the rules would stay like this:

{
    "rules":{
        "receitas":{
            "$idReceita":{
                ".write":"auth.uid == newData.child('usuario').val()",
                ".read":"auth.uid == data.child('usuario').val() || data.child('tipo').val() == true"
            }
        },
        "usuarios":{
            "$uid":{
                ".write":"auth.uid == $uid",
                ".read":"auth!=null",
                ".validate":"root.child('nomes').child(newData.child('usuario')).val() != true"
            }
        },
        "nomes":{
            ".write":"auth!=null",
            ".read":"auth!=null"
        }
    }
}

Learn more about Realtime Database security rules in this article.