Definition of firebase security rules

Question

Definition of firebase security rules

Navigation

#1 by (1 votes)

0

How can I define a security rule that:

Allow read and write access to recipes if the logged in user is the user who has registered it

Allow read access to revenue if tipo is true

Do not allow read and write access to the recipes if the logged in user is not the user who registered it

Allow read and write access to users if the user name and password sent are the same as the login, I suppose it is something with newData

How to allow the username to be read, not to allow two users with the same name, as securely as possible

Data structure:

{
  "receitas" : {
    "-L7bAaMB-vaJhri6r-lg" : {
      "imagem" : "default",
      "ingrediente" : [ "teste" ],
      "nome" : "teste",
      "preparo" : "teste",
      "tipo" : false,
      "usuario": "-L7WxcAHr8LkfJAiI8ku"
    },
    "-L7bAqvMu8uOoY6nX5Tx" : {
      "imagem" : "example.png",
      "ingrediente" : [ "teste2" ],
      "nome" : "teste2",
      "preparo" : "teste2",
      "tipo" : true,
      "usuario": "-L7WxcAHr8LkfJAiI8ku"
    }
  },
  "usuarios" : {
    "-L7WxcAHr8LkfJAiI8ku" : {
      "senha" : "123456789",
      "usuario" : "guilherme"
    },
    "-L7bAk3EcsoOQapV9zsb" : {
      "senha" : "123456789",
      "usuario" : "patricia"
    }
  }
}

firebase realtime-database

asked by anonymous 15.03.2018 / 23:46

1 answer

How to make a Criteria Join for this query How do I get values from two fomulars separated by just one submit?

score 1 · Accepted Answer

1. To check if the logged-in user is the user who registered the revenue, the variable auth.uid and newData (in the case of writing) or data (in reading) is used. That would be:

"receitas":{
            "$idReceita":{
                ".write":"auth.uid == newData.child('usuario').val()",
                ".read":"auth.uid == data.child('usuario').val()"
            }
        }

2. Just add one more condition in the reading that checks the type: ".read":"auth.uid == data.child('usuario').val() || data.child('tipo').val() == true"

5.With the current structure, it is not possible to have unique names in the database. For this, I recommend that you create a new node (I will call "names") where you will have all the names as keys, because keys are unique and can not be repeated. This node would look like this:

{
    "nomes":{
        "guilherme":true,
        "patricia":true
    }
}

So, the rule for not repeating names would be:

".validate":"root.child('nomes').child(newData.child('usuario').val()).val() != true"

And then the rules would look like this:

{
    "rules":{
        "receitas":{
            "$idReceita":{
                ".write":"auth.uid == newData.child('usuario').val()",
                ".read":"auth.uid == data.child('usuario').val() || data.child('tipo').val() == true"
            }
        },
        "usuarios":{
            "$uid":{
                ".write":"auth.uid == $uid",
                ".read":"auth!=null",
                ".validate":"root.child('nomes').child(newData.child('usuario')).val() != true"
            }
        },
        "nomes":{
            ".write":"auth!=null",
            ".read":"auth!=null"
        }
    }
}

Learn more about Realtime Database security rules .