2

I'm following the Firebase security tutorial.

I have this simple structure:

 - requests

     - request_id: {...}

     - request_id: {...}

     ...

And my security rules:

{
    "rules": {       
      "requests": {
        ".indexOn": ["id_company_owner", "id_app_user"],

        "$request_id": {
          // only request from the last ten minutes can be read
          ".read": "data.child('timestamp').val() > (now - 600000)",
        }
      }
    }
}

All I want right now with my rule is to make my request readable. But I've to this inside (not outside) of $request_id, but no request is being readable; even if the request have the timestamp with less than 10 minutes ago. Can someone explain why?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Johnny Be Good
  • 29
  • 4

1 Answers1

1

It's hard to tell without looking at the actual data, but Firebase security rules are all-or-nothing. Firebase security rules do not filter data.

That is, if you attempted to attach a listener to /requests, and even a single item is not allowed to be read due to a security rule, none of them can be read. You'll need to listen for individual items, or restructure your data, to accomplish this "filtering" behavior.

Rob DiMarco
  • 13,226
  • 1
  • 43
  • 55
  • 1
    I understand, but even if i put: ".read": true, inside of "$request_id", the request continuous not readable. It only works if i put: ".read": true inside of "requests", but my problem is, i need to put this inside of "$request_id", because i need to check every timestamp, of each request. – Johnny Be Good Jan 26 '15 at 16:32
  • 1
    and my data looks exactly like i showed before, that is, i´ve a "collection" named "requests", and inside of it, "documents" with a hash key for every request. – Johnny Be Good Jan 26 '15 at 16:34
  • 1
    and what is weird, is that i´m just following the official documentation, simples like that and it´s not working. – Johnny Be Good Jan 26 '15 at 16:36