I cannot set value to my Firebase Database using setValue(). In logs it returns me setValue at ... Permission denied. I checked my rules:
{
"rules": {
".read": "auth == null",
".write": "auth == null"
}
}
Try changing your rules to the following and it'll work.
{
"rules": {
".read": true,
".write": true
}
}
As per Frank van Puffelen's comment your rules require the user is not authenticated.
You can read more about the authentication rules here for other options if you need more secure authentication
Hope this helps you
Firstly your user must be authenticated as Firebase provide lots of platforms to make user authenticated with it. Example - Google, Facebook, Twitter etc.
As user got authenticate by firebase console he/she get access to relevant database and storage. You can also make a user as a guest by using Firebase anonymous authentication.
By doing authentication every user gets a UID using which you can use to give access to them by writing rules if you want different rules for different users.
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
By default you will get something like this in your database rules section :-
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
This simply means that if the user authenticated then only give them read and write access. Apply to all users.
By doing something like this, you are making your database accessible to everyone and also those people who are not using your product.
{
"rules": {
".read": true,
".write": true
}
}
You can do this for testing purpose of your product, but this is not a secure way.
Related
I'm new to firebase. I have a problem with firebase security rules. I can write data to the firebase database but I can't read the written data.
My database look like-
user|
|_uid(auto-generated)
|
|_name:Bob
|_score:100
|_email:bob#gmail.com
My firebase database rule look like-
"user":{
"$uid":{
"uname":{
".read":"$uid=== auth.uid",
".write":"$uid=== auth.uid"
},
"score":{
".read":"$uid=== auth.uid",
".write":false
},
"email":{
".read":"$uid=== auth.uid",
".write":"$uid=== auth.uid"
}
}}
I have tested with simulator and everything(both read and write) goes fine. But can't read from my app although I logged in to an account.
When I set all read and write to true upper $uid node, all read write from my app OK too. But I want to allow read to authorized person only
I have already searched on stackoverflow, but there is no solution for this.
Sorry for my English writing skill.
As you are using realtime database the best way to handle this is to create a child authorized and then save all authorized uid in this child and then set your rules as follows:`"rules":
{
".read": true,
".write": "root.child('authorized').hasChild(auth.uid)"
}
}`
you can refer to this project to see sample implementation
If you used push() when creating the uid inside user node then the authid and uid are not the same. They have different values.MAKE SURE YOU USED THE SAME UID FROM
firebaseauth.getinstance().getcurrentuser().getuid()
If you want to authorize people to only do something to only their data you can use the following set of Rules.
{
"rules": {
"user": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
The node you have is name but the level indicated on the rules is uname...
I am creating an android project on firebase, and it requires a user to read data, irrespective of the fact that they are logged in or not. Is it possible to do so?
Try changing your rules to
{
"rules": {
".read": true,
".write": true
}
}
After some hit and trial, here is the way that worked out for me
".read": "auth == null || auth !=null",
and click PUBLISH button
I have just added security rules to my Firebase project such that reading is public and writing is only permitted for authenticated users. This is the rules' json on Firebase:
{
"rules": {
"Country" :{
".read": "true",
".write": "auth !== null",
}
}
}
There is no problem with reading at all. Writing, however, cannot be done unless a new parent is added; I use db.push() and it works greatly. Whenever some modification on data that already exists is done I get "Permission denied" in the logcat.
I have tried to do the following but it still doesn't work:
{
"rules": {
"Country" :{
".read": "true",
".write": "auth !== null && (data.exists() || !data.exists())",
}
}
}
How might this issue be solved? it will be really tiresome to delete every data the user needs to modify and re-pushing it since the application is really huge.
I have an android app that people can write something on chatbox.
They login with google account. And i have their user id which is shown below by $uid
But if there will somebody writing stupid things i want to prevent this person's writing ability.
So how can i make this by using this body. Or what is your suggestion?
{
"rules": {
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
source: https://firebase.google.com/docs/database/security/
Updated Answer
First, you have to change your banned user JSON model to follow format.
Path pattern
/banned-users/$userid: true
From above image
/banned-users/fasjdkflksdflad: true
now change your rules to the following way
{
"rules": {
"messages": {
"$messageId": {
".read": "auth.uid != null",
".write": "auth.uid != null && !root.child('/banned-users/'+auth.uid).exists()"
}
},
}
}
Say you are adding messages to the /messages path with each messages id as $messagesId then your /messages path looks like below
{
"messages": {
"-KTKvywjwDv4RpYjQglu":{
"text": "Hey Guys..."
},
"-KTKvywjwDv4RpYjQglu":{
"text": "How you doing ..."
}
}
}
Explanation
According to the rules, any logged in user can read the /messages ".read": "auth.uid != null", defines that.
To write to message to /messages path, then firebase check for if the (user is logged in AND /banned-users/user-id path exists) in firebase. As auth.uid is internal firebase variable used when rule validation. ".write": "auth.uid != null && !root.child('/banned-users/'+auth.uid).exists()" defines that.
you can ignore .validate you can achieve this by just using .write.
old answer
You cannot do it with just security rules.
First, you have to use Firebase cloud functions.
Create database trigger on the /chats database path. When the new message contains stupid things then you can delete it right away and you can get the user ID and save it to some other path say /banned-users/<userid>
Now you can write the .validate rule to check current messaging userid is not on the banned list. Using
".validate": "!root.child('/banned-users/'+$uid).exists()"
If you have to completely disable user account then you have to use Firebase Admin API.
You do not need to do this in rules. You can just disable that person's userID in the "Authentication" section of the FirebaseConsole
Screenshot attached below as sample
This would be much easier compared to adding into the rules where you have to enter the userID manually anyway.
I am new to Firebase and Android. Here in Android, I have one button called sign in which registers auth users in Firebase and I am creating child object in database and I want to allow access to only auth registered users.
So please help me how to change in Firebase rules to allow for only auth users.
Firebase rules are now:
{
"rules": {
".read": true,
".write": true
}
}
auth users register:
Email Providers Created Signed In User UID
xxx#gmail.com Oct 4, 2016 Oct 4, 2016 PZJkEQnQZNZ
and the database:
chat-aa255
- groupchat
- KTOjXlA3Zwy38er
- "msg":"hi"
- "name":"one"
Please help me how to solve this problem. Thanks in advance.
It's because you are not authorized to the Database, check the Rules Tab in the Realtime database
If it's
{
"rules": {
".read": "auth != null",
".write":"auth != null"
}
}
This means only authorized user's can write and read the Data.
Changing to
{
"rules": {
".read": true,
".write":true
}
}
Allows anyone to write the Database
When going for Production be sure to use the first one
Try this, maybe it works:
{
"rules": {
".read": "auth.email == 'xxx#gmail.com'",
".write":"auth != null"
}
}