I want to create a rule, which when one login account reads and writes to the database, can you help me, and is there something wrong with my code?
this my rules database
{
"rules": {
"User": {
"$uid": {
".read": "auth !== null && auth.uid === $uid",
".write": "auth !== null && auth.uid === $uid"
}
},
"Layanan Nasabah": {
".read": "root.child('User/' + auth.uid).exists()",
".write": "root.child('User/' + auth.uid).exists()"
}
}
}
this my codes
database.child("Layanan Nasabah").child(mAuth.getUid()).setValue(new pengaduan
(getNo,getNo_Tiket,getNama_Penelpon,getPenelpon1,getPenelpon2,getEmail,getPertanyaan,getTertanggung,getNo_Polis,getObyek,getCatatan)).addOnSuccessListener(unused -> {
Toast.makeText(TambahActivity.this, "Data Berhasil Disimpan", Toast.LENGTH_SHORT).show();
startActivity(new Intent(TambahActivity.this, OnprogressActivity.class));
finish();
}).addOnFailureListener(e ->
Toast.makeText(TambahActivity.this, "Data Gagal Disimpan", Toast.LENGTH_SHORT).show());
}
From what I understand you want only logged in users (authenticated users) to read/write to nodes in your database.
This rule:
".write": "auth !== null && auth.uid === $uid"
Means that any authenticated user can only write to his own uid.
In users node, you already did what you are asking for:
//because this means any authenticated user can read and write their
//own nodes (UIDs)
"User": {
"$uid": {
".read": "auth !== null && auth.uid === $uid",
".write": "auth !== null && auth.uid === $uid"
}
}
UPDATE
If you also want that authenticated users only can read and write to Layanan Nasabah node, you can do this:
"Layanan Nasabah": {
"$uid":{
".read": "root.child('User/' + auth.uid).exists() && auth !== null && auth.uid === $uid",
".write": "root.child('User/' + auth.uid).exists() && auth !== null && auth.uid === $uid"
}
}
Related
I made a chat application using firebase realtime database. Users can send private messages to each other. How should the rules part be? I keep getting emails from Firebase that the rules are not reliable.
This is my firebase Collections:
This is my firebase Rules:
{
"rules": {
".read": "auth.uid!=null",
".write": "auth.uid!=null",
}
}
Only an authenticated admin user can read and write their own admin-user data:
{
"rules": {
"admin-users": {
"$userId": {
".read" : "auth.uid === $userId",
".write": "auth.uid === $userId"
}
}
}
}
Or:
{
"rules": {
"admin-users": {
"$user": {
".read" : "data.child('userUid').val() === auth.uid",
".write": "data.child('userUid').val() === auth.uid"
}
}
}
}
An authenticated user can read all data under Users.
An authenticated user can can only update their own data except the 'userUid' field. Can only update the 'userUid' field if it is a new document creation ('!data.exists()') e.g when it is a signup/register.
An authenticated admin can read and write all the data in Users including the 'userUid' field.
{
"rules": {
"users": {
".read": "auth !== null",
"$userId": {
"userId": {
".write": "root.child('admin-users').child(auth.uid).exists() || !data.exists()"
},
"$other_fields": {
".write": "$userId === auth.uid || root.child('admin-users').child(auth.uid).exists()"
}
}
}
}}
Only Admins can read and write everything in under Chats
Authenticated users can read chat messages in which their userUid matches either 'senderId' or 'receiverId'
Authenticated users can write/update a message only if their userUid matches 'senderId'.
{
"rules": {
"chats": {
".read": "root.child('admin-users').hasChild(auth.uid)",
".write": "root.child('admin-users').hasChild(auth.uid)",
"$chat": {
"$message": {
".read": "auth !== null && data.child('receiverId').val() === auth.uid || data.child('senderId').val() === auth.uid",
".write": "auth !== null && !data.exists() || data.child('senderId').val() === auth.uid"
}
}
}
}}
These sample rules are just to give guidance on how security rules work. You can create different rules that can work as well with your use case. See link for more details https://firebase.google.com/docs/rules/insecure-rules
https://firebase.google.com/docs/database/security/core-syntax
I have checked the documentation but I am not sure how to apply that rule to my specific data structure, please check how my data is organized and provide me the rules as it is supposed to go.
I am using realtime Database, in my app code I write and read base on the user ID, but firebase keeps telling I should change my rules.
To apply the rules in the documentation on content-owner only access to your structure would take:
{
"rules": {
"Expenses": {
"$uid": {
// Allow only authenticated content owners access to their data
".read": "auth != null && auth.uid == $uid"
".write": "auth != null && auth.uid == $uid"
}
},
"Users": {
"$uid": {
// Allow only authenticated content owners access to their data
".read": "auth != null && auth.uid == $uid"
".write": "auth != null && auth.uid == $uid"
}
}
}
}
I created my app with the following database structure
Root/
Users/
+12345566777
+12345667765
+43223456677
And here it is an example of my security rules
{
"rules": {
"$uid": {
"Users": {
".read": "auth != null",
".write": "auth != null && auth.uid == $uid"
}
}
}
}
My problem is that instead of verifiying the auth.uid inside of my security rules i want to verify the (identifiant) the UserPhoneId is there any way to do that, thank you.
My Firebase Database structures is as follows:
{
"accounts" : {
"API_Keys" : {
"Unique ID over here" : {
"api_key" : "None",
}
}
},
"users" : {
"Unique UID over here" : {
"email" : "abc#gmail.com",
"username": "abc",
"age": "18"
},
}
}
I have implemented the following security rules for this.
{
"rules": {
"accounts": {
"API_Keys":{
"$uid":{
".read": "$uid === auth.uid && auth != null ",
".write": "$uid === auth.uid && auth != null"
}
}
},
"users": {
"$uid":{
".read": "$uid === auth.uid && auth != null ",
".write": "$uid === auth.uid && auth != null"
}
}
}
}
The user is going to link in his personal details and also an API Key. No user should be allowed to access any one else's keys somehow. Are the above rules satisfactory for this? Am i missing something?
It looks OK to me, though usually you reverse the order of the test to "auth != null && auth.uid == $uid", as seen in the documentation. You can test for yourself using the rules simulator in the Firebase console.
{
"rules": {
".read": "true",
".write": "true"
}
}
Please mention complete code that I have to put in the Rules section of Firebase since I am facing error while entering the above code.
Read here
// Allow read/write access to all users under any conditions
// Warning: **NEVER** use this rule set in production; it allows
// anyone to overwrite your entire database.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
But this is not secure.
Firebase say that "Your security rules are not secure. Any authenticated user can steal, modify, or delete data in your database."
If you are using firebase then the rules below apply as an example, for firestore the rule structure is a little different.
To change the rulles you can go to the firebase project area Database on the left menu and then rules on the blue menu.
However I need to mention that if you are doing a firebase deploy you WILL OVERWRITE these rulles with the contents of database.rules.json that is in your top level for firebase project structure and firestore.rules for firestore.
{
"rules": {
".read": true,
".write": "auth != null",
"FirstlevelNode_1": {
".read": "auth != null",
".write": "auth.uid == 'NyEFUW2fdsbgv3WRQRHl4K4YWTxf17Dgc2' || auth.uid == '34x5KfLnk4fgyrjMtvvanb4VSypenBC83'"
},
"FirstlevelNode_2_with_children": {
".read": true,
".write": "auth.uid == 'NyEFUWv3WRQRHl4K4YWTdsfdxf17Dgc2' || auth.uid == '34x5KfLnk4Mtvvanb4VSypfdsahenBC83'",
"SecondLevelNode_1": {
"$uid": {
".read": true,
".write": "$uid === auth.uid || auth.uid == 'NyEFUWv3WRQRHlddsfsadsa4K4YWTxf17Dgc2' '"
}
},
"SecondLevelNode_2": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid "
}
}
}
}
}