1

Here's the rules that I have:

{
  "rules": {
    "deck":{
      ".read":true,
      ".write":true,
      ".indexOn": "user"
    }
  }
}

Currently when I run:

deckRef.once('value', function(dataSnapshot) {
      console.log(dataSnapshot.ref());
    });

I get all my data returned:

{
  "deck" : {
    "-JkpwAnieKjQVsdtPD4m" : {
      "deckName" : "Deck 1",
      "user" : "simplelogin:1"
    },
    "-Jkq4unexm-qwhO_U2YO" : {
      "deckName" : "Deck 2",
      "user" : "simplelogin:1"
    },
    "-Jkq5-II1q5yM6w3ytmG" : {
      "deckName" : "Deck 3",
      "user" : "simplelogin:6"
    },
    "-Jks5mbMHmPB9MwnnOCj" : {
      "deckName" : "Deck 4",
      "user" : "simplelogin:1"
    }
  }
}

But I want to prevent anyone from accessing the items that don't match the user id.

I tried changing the deck portion to:

  "deck": {
    ".read":"data.child('user').val() === auth.uid"
  }

But this returns nothing. Ideally I'd like it to return just items 1,2 and 4 if user "simplelogin:1" in logged in or item 3 if "simplelogin:6" is logged in.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Matt Coady
  • 3,418
  • 5
  • 38
  • 63
  • possible duplicate of [Restricting child/field access with security rules](http://stackoverflow.com/questions/14296625/restricting-child-field-access-with-security-rules) – Kato Mar 23 '15 at 16:20

1 Answers1

3

This is a common mistake when writing Firebase security rules and it's probably clearest if I quote the relevant documentation:

SECURITY AND FIREBASE RULES WORK FROM THE TOP-DOWN

This is a critical concept of understanding Security and Firebase Rules. The child rules can only grant additional privileges to what parent nodes have already declared. They cannot revoke a read or write privilege.

Given what you're trying to accomplish, the next section also seems very relevant:

Rules Are Not Filters

Rules are applied in an atomic manner. That means that an entire read or write operation is failed immediately if any child path under the data is not accessible.

So while you may be tempted to think of Firebase security rules in terms of WHERE clauses in a SQL statement, that is not how they work. You'll have to come up with a different way to model your data if you want to secure it per user. The security guide has a pretty extensive (and complex) example of securing a chat application.

Community
  • 1
  • 1
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807