in my Android app I want to implement real-time database by Firebase.
The rules are not very simply:
--AUTHOR: write periodicals strings
----ADMIN: create a "chat/room" and invite friends
------MEMBER: read periodicals strings and write own data.
Also:
ADMIN is also a MEMBER.
Every "chat/room" is about 10 MEMBERS.
MEMBER can write its own data and read periodical strings (by author) and the data of the
other 9 members.
Actually, my rules' code is:
{
"rules": {
"chats": {
"$chatID": {
"messages": {
".read": "data.parent().child('members').child(auth.uid).exists()",
".write": "data.parent().child('members').child(auth.uid).val() == 'owner' || data.parent().child('members').child(auth.uid).val()=='chatter'"
},
"members": {
".read": "data.child(auth.uid).val() == 'owner'",
".write": "data.child(auth.uid).val() == 'owner' ||(!data.exists()&&newData.child(auth.uid).val()=='owner')"
},
"pending": {
".read": "data.parent().child('members').child(auth.uid).val() === 'owner'",
".write": "data.parent().child('members').child(auth.uid).val() === 'owner'",
"$uid": {
".write": "$uid === auth.uid && !data.exists() && !data.parent().parent().child('members').child($uid).exists()"
}
}
}
}
}
}
I'm not able to work with code. Anyone can help me? Thanks.
Related
I made a chat application using firebase realtime database. Users can send private messages to each other. How should the rules part be? I keep getting emails from Firebase that the rules are not reliable.
This is my firebase Collections:
This is my firebase Rules:
{
"rules": {
".read": "auth.uid!=null",
".write": "auth.uid!=null",
}
}
Only an authenticated admin user can read and write their own admin-user data:
{
"rules": {
"admin-users": {
"$userId": {
".read" : "auth.uid === $userId",
".write": "auth.uid === $userId"
}
}
}
}
Or:
{
"rules": {
"admin-users": {
"$user": {
".read" : "data.child('userUid').val() === auth.uid",
".write": "data.child('userUid').val() === auth.uid"
}
}
}
}
An authenticated user can read all data under Users.
An authenticated user can can only update their own data except the 'userUid' field. Can only update the 'userUid' field if it is a new document creation ('!data.exists()') e.g when it is a signup/register.
An authenticated admin can read and write all the data in Users including the 'userUid' field.
{
"rules": {
"users": {
".read": "auth !== null",
"$userId": {
"userId": {
".write": "root.child('admin-users').child(auth.uid).exists() || !data.exists()"
},
"$other_fields": {
".write": "$userId === auth.uid || root.child('admin-users').child(auth.uid).exists()"
}
}
}
}}
Only Admins can read and write everything in under Chats
Authenticated users can read chat messages in which their userUid matches either 'senderId' or 'receiverId'
Authenticated users can write/update a message only if their userUid matches 'senderId'.
{
"rules": {
"chats": {
".read": "root.child('admin-users').hasChild(auth.uid)",
".write": "root.child('admin-users').hasChild(auth.uid)",
"$chat": {
"$message": {
".read": "auth !== null && data.child('receiverId').val() === auth.uid || data.child('senderId').val() === auth.uid",
".write": "auth !== null && !data.exists() || data.child('senderId').val() === auth.uid"
}
}
}
}}
These sample rules are just to give guidance on how security rules work. You can create different rules that can work as well with your use case. See link for more details https://firebase.google.com/docs/rules/insecure-rules
https://firebase.google.com/docs/database/security/core-syntax
As an admin I am trying to get the users data so that I could 'read' and 'write' even through the rules of the firebase 'read','write' set to be false.
users
|
"uid"
|-firstname: "xyz"
|-lastname: "xyz"
|-email: "xyz#gmail.com"
Here, is my rules
"users": {
"$uid": {
".read": "auth != null && $uid === auth.uid",
".write": "auth != null && $uid === auth.uid"
}
}
when I am retrieving users data from firebase using FirebaseRecyclerOptions, users data display only when I set rules read and write to true but I want even if the rules set to be false through admin I could read and write. Is this possible
FirebaseRecyclerOptions<Model> options =
new FirebaseRecyclerOptions.Builder<Model>()
.setQuery(FirebaseDatabase.getInstance().getReference("Users"), Model.class)
.build();
Add a boolean to your user object and call it admin, set it false for all the users except you.
Now copy that to your firebasee rules:
"users": {
".read":
"root.child('users').child($uid).child('Admin').val()",
".write":"
"root.child('users').child($uid).child('Admin').val()"
,"$uid": {
".read": "auth != null && $uid === auth.uid",
".write": "auth != null && $uid === auth.uid"
}
}
}
}
Just like the isActivated boolean I have in my Users you can create a boolean called isAdmin.Add it to your admin class , give it set and get methods in your class.When you upload it to firebase you can read and write this data.
Then let your firebase rules to do the job.
It depends on what "as an admin" means to you. If the application administrator is only you for example, you could simply hard-code your own UID in the security rules:
"users": {
".read": "auth.uid === 'yourOwnUid'"
"$uid": {
".read": "auth != null && ($uid === auth.uid",
".write": "auth != null && $uid === auth.uid"
}
}
This grants the one user access to all of /users, while everyone else can only read their own child node under that path.
Hard-coding the UID like this works great during development, as you're likely the only administrator. Later on when closer to release, you'll want to store a list of administrator UIDs in the database:
"Admins": {
"yourOwnUid": true,
"otherUid": true
}
You can then check in your rules whether the current user's UID exists in this path with:
"users": {
".read": "root.child('Admins').child(auth.uid).exists()"
...
}
I created my app with the following database structure
Root/
Users/
+12345566777
+12345667765
+43223456677
And here it is an example of my security rules
{
"rules": {
"$uid": {
"Users": {
".read": "auth != null",
".write": "auth != null && auth.uid == $uid"
}
}
}
}
My problem is that instead of verifiying the auth.uid inside of my security rules i want to verify the (identifiant) the UserPhoneId is there any way to do that, thank you.
{
"rules": {
".read": "true",
".write": "true"
}
}
Please mention complete code that I have to put in the Rules section of Firebase since I am facing error while entering the above code.
Read here
// Allow read/write access to all users under any conditions
// Warning: **NEVER** use this rule set in production; it allows
// anyone to overwrite your entire database.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
But this is not secure.
Firebase say that "Your security rules are not secure. Any authenticated user can steal, modify, or delete data in your database."
If you are using firebase then the rules below apply as an example, for firestore the rule structure is a little different.
To change the rulles you can go to the firebase project area Database on the left menu and then rules on the blue menu.
However I need to mention that if you are doing a firebase deploy you WILL OVERWRITE these rulles with the contents of database.rules.json that is in your top level for firebase project structure and firestore.rules for firestore.
{
"rules": {
".read": true,
".write": "auth != null",
"FirstlevelNode_1": {
".read": "auth != null",
".write": "auth.uid == 'NyEFUW2fdsbgv3WRQRHl4K4YWTxf17Dgc2' || auth.uid == '34x5KfLnk4fgyrjMtvvanb4VSypenBC83'"
},
"FirstlevelNode_2_with_children": {
".read": true,
".write": "auth.uid == 'NyEFUWv3WRQRHl4K4YWTdsfdxf17Dgc2' || auth.uid == '34x5KfLnk4Mtvvanb4VSypfdsahenBC83'",
"SecondLevelNode_1": {
"$uid": {
".read": true,
".write": "$uid === auth.uid || auth.uid == 'NyEFUWv3WRQRHlddsfsadsa4K4YWTxf17Dgc2' '"
}
},
"SecondLevelNode_2": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid "
}
}
}
}
}
Structure:
{
"accounts" : {
"JGeRgwAUBM..." : {
"active" : true,
"created" : 1468406951438,
"key" : "JGeRgwAUBM..."
}
}
Rules:
{
"rules": {
".read": false,
".write": false,
"accounts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
Goal:
Instead of using the auth.uid as key for the data, I would rather prefer to use the generated key from push().getKey()
{
"accounts" : {
"theKeyIGetFrom: push().getKey()" : {
"active" : true,
"created" : 1468406951438,
"auth_uid" : "JGeRgwAUBM..."
}
}
Looking for the rule set for something like this:
{
"rules": {
".read": false,
".write": false,
"accounts": {
"$key": {
".read": "$key.auth_uid === auth.uid",
".write": "$key.auth_uid === auth.uid"
}
}
}
}
Answering your question, you will be able to achieve the rules you want with the rules bellow.
{
"rules": {
"accounts": {
"$key": {
".read": "data.child(auth_uid).val() === auth.uid",
".write": "data.child(auth_uid).val() === auth.uid"
}
}
}
}
But keep in mind that, to retrieve and write data, you would need to already know the $key's since you wont be able to get any data by accessing /accounts. Thats beacause you don't have read/write rules to access the specific /accounts branch.
If it was in my hands I would prefer going with your current /accounts/uid solution. You would always be easly able to retrieve users data since you could get the current authenticated user uid.