0

First off, I've previously researched this and I have referenced a previous question. I have done what is stated in this question with no positive result.

Firebase: set security rules depending on user roles

I am using: 

Angular JS
Firebase
AngularFire -- Integrate Firebase with AngularJS
E-mail and Password Firebase Authentication

I have a node in Firebase for my users:

"users" : {
  "simplelogin:49" : {
     "email" : "myemail@something.com",
     "full_name" : "First Last",
     "roles" : {
        "administrator" : true
     }
  },
  "simplelogin:64" : {
     "email" : "me@me.com",
     "full_name" : "first last",
     "roles" : {
       "administrator" : false
     }
   }
}

I am trying to add an entry in my clients table while being logged into the simplelogin:49 that as you can see is an administrator. 

// Create the Client
                var clientRef = firebaseUrl+'clients';

                var clientsListRef = new Firebase(clientRef);
                clientsListRef.push({ 
                    'uid': userData.uid,
                    'number': cl.number,
                    'company': cl.company,
                    'full_name': cl.full_name,
                    'email': cl.email,
                    'phones': {
                        'primary': cl.phones.primary,
                        'cell': cl.phones.cell,
                        'alte': cl.phones.alte
                    },
                    'addresses': {
                        'billing': {
                            'line1': cl.addresses.billing.line1,
                            'line2': cl.addresses.billing.line2,
                            'city' : cl.addresses.billing.city,
                            'state': cl.addresses.billing.state,
                            'zip'  : cl.addresses.billing.zip
                        },
                        'shipping': {
                            'line1': cl.addresses.shipping.line1,
                            'line2': cl.addresses.shipping.line2,
                            'city' : cl.addresses.shipping.city,
                            'state': cl.addresses.shipping.state,
                            'zip'  : cl.addresses.shipping.zip
                        }
                    }

                });

I have set up some rules in Firebase for the clients node and they are as follows: 

    "clients": {
       "$auth": {
          ".write": "root.child('users').child('$auth.uid').child('roles').child('administrator').val() === true"
        }
      }

I've also tried this for rules:

"clients": {
  ".write": "root.child('users').child('auth.uid').child('roles').child('administrator').val() === true"
}

All I get when I run this and it all gets put together is a permission denied error. If I run it in the Firebase Simulator, this is the result: 

Attempt to write Success({"user":"Test"}) to /clients with auth=Success({"id":49,"provider":"password","uid":"simplelogin:49"})
/
/clients:.write: "root.child('users').child('auth.uid').child('roles').child('administrator').val() === true"
    => false

No .write rule allowed the operation.
Write was denied.

I would just like to know what I'm missing. The person in the question says he/she was successful in their ventures.

Community
  • 1
  • 1
moevans
  • 319
  • 2
  • 16
  • 1
    Not sure if this is all that is wrong, but at the very least `child('$auth.uid')` should be `child($auth.uid)` (so without the quotes). `$auth` is a variable, while `'$auth'` is just a string literal. – Frank van Puffelen Jun 05 '15 at 03:28
  • Your data sample lists `users`, but your security rules reference `clients`. Not sure how we can be much help if the code doesn't accurately reproduce the conditions necessary to create your problem. See [creating an mcve](http://stackoverflow.com/help/mcve) – Kato Jun 05 '15 at 15:07
  • Frank Van Puffelen -- When I remove the quotes, Firebase throws an error that states that there is no such method or property. The docs also refer to it as being with quotes. (https://www.firebase.com/docs/web/) – moevans Jun 05 '15 at 22:04
  • Kato -- I am setting a rule for the clients node that references the users node. If the user is an administrator then that user is able to write or add a client to the clients node. – moevans Jun 05 '15 at 22:05
  • Apparently no one knows how to use role based values in firebase – moevans Jun 05 '15 at 23:48
  • If you are trying to access the authenticated user's uid, then you should use "root.child('users').child(auth.uid).child('blah blah blah')" The idea is that the auth.uid is a variable and you shouldn't use quotes. – gm_ Sep 04 '17 at 15:01

1 Answers1

0

First things first, you should use the Firebase Authentication user id that is automatically generated for each user. You will have to look at the AngularFire documentation on how to access the authenticated user id, but usually its something along the lines of:

firebase.auth().currentUser().uid

Then, once you have created the user with that id as the name of the dictionary like so:

"users" : {
  "Rx6H4mjwwgVo6UKy2vSuOD5dTwk2" : {
     "email" : "myemail@something.com",
     "full_name" : "First Last",
     "roles" : {
        "administrator" : true
     }
  },
  "U1x3narB2AQQ0FvMxu7RVQAxb7A2" : {
     "email" : "me@me.com",
     "full_name" : "first last",
     "roles" : {
       "administrator" : false
     }
   }
}

you can use the auth.uid variable in the Firebase Database Security Rules to get their user id:

"rules" : {
  "clients": {
    ".write": "root.child('users').child(auth.uid).child('roles').child('administrator').val() == true"
  }
}
gm_
  • 598
  • 6
  • 22