I'm the Android app developer, and I'm using Firebase Realtime Database. I want to make an app that when users who want to use my app can save something like the text in their repository. But when I save the text in my app, other users who download my app can see my unique saved text. Firebase Realtime Database rules like this. But they didn't work. Please tell me how to use private node in Realtime Database.
{
"rules": {
"messages": {
"$user" : {
".read" : "$user === auth.uid",
".write" : "$user === auth.uid"
}
}
}
}
enter image description here
You also need to check if the auth rules are null. If yes, then not allow anyone to access the information. Also, you need to use a wildcard, instead of a static $uid value. So, put this inside the messages node. So, as you want people to write in the messages node, but only those who are owners to see the message, this is the code for it:
{
"rules": {
"messages": {
"${uid}": {
".read": "auth.uid != null",
".write": "auth.uid != null && auth.uid == uid"
}
}
}
}
I think the rules below do the trick. The codes snippet:auth.uid == $uid makes sure that only the owner of the node has writing rights while auth != null makes sure that only users logged in to your app can read from it.
{
"rules": {
"messages": {
"$uid" : {
".read" : "auth != null",
".write" : "auth.uid == $uid"
}
}
}
}
Another StackOverflow Question may also be useful for you if the situation becomes a little more complex.
Related
My rules look like this:
{
"rules": {
"userShaders": {
"$uid": {
"shaders": {
".write": "auth.uid === $uid",
".read": "auth.uid === $uid || data.child('public').val() == true"
}
}
}
}
}
My data looks like this:
userShaders
8v4N3yLlXAU1cpRiaDj5kkDQaKn1
shaders
myShaderName
attr_1: ""
attr_2: ""
public: false
I am not logged in as this user and am attempting to query their data. I expect to succesfully get back 0 records because they have none marked as public.
However, I'm getting a permission denied error.
My query looks like this:
val shaderRef = db
.getReference("userShaders/${uid}/shaders")
.orderByChild("public")
.equalTo(true);
shaderRef.get().addOnSuccessListener {
// do something with the data
}
To summarize, I am trying to query for only public data, while simultaneously making a rule that non-public data is impossible to fetch by other users. I want to write a query such that I may receive 0 or many records back, but never a permission denied error.
The most important thing to realize is that Firebase security rules don't filer data. Instead they merely check that you're only requesting data you are authorized for.
Your code already queries only for the public data, so you need to validate that query in your rules with something like:
"shaders": {
".read": "query.orderByChild === 'public' &&
query.equalTo === true"
}
Even with that you will still need separate read operations for the shared that this user created and all public shaders, as there's no way to express that OR condition in a single query.
Well, I ended up just separating my data into separate public and private sections in Firebase like this:
"userShaders": {
"$uid": {
"shaders": {
"public": {
".write": "auth.uid === $uid",
".read": "true"
},
"private": {
".write": "auth.uid === $uid",
".read": "auth.uid === $uid"
},
}
}
}
It's more work, because when I update the isPrivate boolean I have to make sure to delete it from the other section, but it does get the job done.
Open to other answers if there's another way to do this.
As an admin I am trying to get the users data so that I could 'read' and 'write' even through the rules of the firebase 'read','write' set to be false.
users
|
"uid"
|-firstname: "xyz"
|-lastname: "xyz"
|-email: "xyz#gmail.com"
Here, is my rules
"users": {
"$uid": {
".read": "auth != null && $uid === auth.uid",
".write": "auth != null && $uid === auth.uid"
}
}
when I am retrieving users data from firebase using FirebaseRecyclerOptions, users data display only when I set rules read and write to true but I want even if the rules set to be false through admin I could read and write. Is this possible
FirebaseRecyclerOptions<Model> options =
new FirebaseRecyclerOptions.Builder<Model>()
.setQuery(FirebaseDatabase.getInstance().getReference("Users"), Model.class)
.build();
Add a boolean to your user object and call it admin, set it false for all the users except you.
Now copy that to your firebasee rules:
"users": {
".read":
"root.child('users').child($uid).child('Admin').val()",
".write":"
"root.child('users').child($uid).child('Admin').val()"
,"$uid": {
".read": "auth != null && $uid === auth.uid",
".write": "auth != null && $uid === auth.uid"
}
}
}
}
Just like the isActivated boolean I have in my Users you can create a boolean called isAdmin.Add it to your admin class , give it set and get methods in your class.When you upload it to firebase you can read and write this data.
Then let your firebase rules to do the job.
It depends on what "as an admin" means to you. If the application administrator is only you for example, you could simply hard-code your own UID in the security rules:
"users": {
".read": "auth.uid === 'yourOwnUid'"
"$uid": {
".read": "auth != null && ($uid === auth.uid",
".write": "auth != null && $uid === auth.uid"
}
}
This grants the one user access to all of /users, while everyone else can only read their own child node under that path.
Hard-coding the UID like this works great during development, as you're likely the only administrator. Later on when closer to release, you'll want to store a list of administrator UIDs in the database:
"Admins": {
"yourOwnUid": true,
"otherUid": true
}
You can then check in your rules whether the current user's UID exists in this path with:
"users": {
".read": "root.child('Admins').child(auth.uid).exists()"
...
}
I have the following problem: I have my app in development, this allows the authenticated user to add data from a crud, in the rules of firebase real-time database, when they are in "true" read and write, they are saved and visualized, but when I try to add the following rule it does not save the data
{
// Allow anyone to read data, but only authenticated content owners can
// make changes to their data
"rules": {
"some_path": {
"$uid": {
".read": true,
// or ".read": "auth.uid != null" for only authenticated users
".write": "auth.uid == $uid"
}
}
It is supposed to be so that the authenticated users can read and write their data, but that the other users can only see the published data. I cannot let users modify the data of others.
Change some_path with your refrence name
{
// Allow anyone to read data, but only authenticated content owners can
// make changes to their data
"rules": {
"some_path": {//change this with your ref_name
"$uid": {
".read": true,
// or ".read": "auth.uid != null" for only authenticated users
".write": "auth.uid == $uid"
}
}
}
}
I am using Firebase Realtime database with the below rules
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
My code to write in database is
mDatabase = FirebaseDatabase.getInstance().getReference("OWNER_DATA");
String id = mDatabase.push().getKey();
OwnerSignup ownerSignup = new OwnerSignup(id, name, email, phoneNumber);
mDatabase.child("MY_DATA").setValue(ownerSignup);
If I change the rules to
read:"false"
write:"false"
I can push the data but with the above rules I cannot insert values in the data.
Please help me to resolve this issue.
and how can I call this with API in Postman where my API is
"https://rent-c-246c0.firebaseio.com/"
I tried to do this in postman with the below given API
https://rent-c-246c0.firebaseio.com/OWNER_DATA.json
here I want to pass my auth.uid token
If you use the following rules:
read:"false" and write:"false"
It means you cannot retrieve nor add data to the database.
If you use:
{
"rules": {
"some_path": {
"$uid": {
// Allow only authenticated content owners access to their data
".read": "request.auth.uid == uid"
".write": "request.auth.uid == uid"
}
}
}
}
Then these rules restrict access to the authenticated owner of the content only. The data is only readable and writable by one user, and the data path contains the user's ID.
https://firebase.google.com/docs/rules/basics#content-owner_only_access
I am Developing an App where you live in a flat and have roommates, now I'm trying to disable access for all users that don't live in that flat.
Here are my Rules:
{
"rules": {
// no access
".read": "false",
".write": "false",
"Users" : {
"$userID" : {
//read on User Folder for all Users
".read" : "auth != null",
//write only for the user itself
".write" : "$userID === auth.uid"
}
},
"Flat" : {
"$flatID" : {
//Flat (identified through flatID) can only be accessed, if you are a roommate
".read" : "$flatID === root.child('Users').child(auth.uid).child('flatID').val()",
".write" : "$flatID === root.child('Users').child(auth.uid).child('flatID').val()"
}
}
}
}
My Database looks somewhat like this:
root
.Users
..uID
...(data)
...flatID : number
.Flat
..flatID
...(data)
So the flatID of that User is stored in his "folder" at root/Users/uID/flatID, which I try to get here: root.child('Users').child(auth.uid).child('flatID').val() and then I check it with the "folder" flatID.
Now if I try to write any Data into the flat, I don't have the right permission, and I cannot find my error.
The Users/userID rule is working fine
Thanks in advance :)
Edit:
The Data looks like this:
root
_Flat
__1
___name : "asdf"
__2
___(more Flats, for the Problem we only need one)
_Users
__F8XpTmxfIzYzrEY92alBOnx5eTO2 (Auth ID)
___flatID : 1
__nextUserID
___NextUserData
My Java Code to edit the flatname is:
fref.child("Flat").child(flatID).child("name").setValue(flatNameInput.getText().toString())
The flatID is a variable with the flatID for that user