0

This is what my data currently looks like:

{
  "teams" : {
    "-K04MPQOs2aXBCyCvYNM" : {
      "members_id" : [ "google:xyz","facebook:1234" ],
      "name" : "team A",
      "owner_id" : "google:xyz"
    },
    "-K04MrZxqPJru9-a_GjT" : {
      "member_ids" : [ "facebook:1234" ],
      "name" : "Team B",
      "owner_id" : "facebook:1234"
    }
  },
  "users" : {
    "facebook:1234" : {
      "name" : "John"
    },
    "google:xyz" : {
      "name" : "Jane"
    }
  }
}

team A was created by Jane and should be readable by her and John. Team B was created by John and should only be readable by him.

The rules I have are not allowing Jane to see any of the teams.

{
    "rules": {
        "teams": {
            "$team":{
                ".read": "data.child('owner_id').val() == auth.uid",
                ".write": true
            }
        }
    }
}

How do i make it so that only the owner and the members of a team can list the teams?

Angel S. Moreno
  • 3,469
  • 3
  • 29
  • 40
  • Since you specify `".read": true"` on the `teams` node, these rules will allow *everyone* to read all teams. Once a parent node grants a permission, a lower level node cannot take it away. Can you show the code for an operation that is denied, but that you want to allow? – Frank van Puffelen Oct 08 '15 at 07:30
  • Ok, I'll modify the rules and test. I am not coding just yet. I am using the simulator. I am authenticating with a uid that matches Jane's uid in order to confirm she can only see one of the teams – Angel S. Moreno Oct 08 '15 at 07:54
  • What I am assuming is ` ".read": "data.child('owner_id').val() == auth.uid" means you can only see the team if the team's owner_id matches the authenticated user's uid. Am I wrong? – Angel S. Moreno Oct 08 '15 at 08:00
  • Which path are you trying to read? Neither Jane nor John can read `/teams`, since they don't have read access there. You've only given them access to their own individual team. See "Rules are not filters" here: https://www.firebase.com/docs/security/guide/securing-data.html#section-filter – Frank van Puffelen Oct 08 '15 at 09:50
  • I'm by now pretty sure, you're looking for these: http://stackoverflow.com/questions/21038981/how-to-use-firebase-rules-to-only-give-permission-to-certain-leaf-nodes, http://stackoverflow.com/questions/18550944/security-rules-lists-of-data-that-can-be-read, http://stackoverflow.com/questions/14296625/restricting-child-field-access-with-security-rules – Frank van Puffelen Oct 08 '15 at 09:51
  • I see now that I am trying to use rules for filtering. – Angel S. Moreno Oct 08 '15 at 15:25
  • Not uncommon, because it's one of the more unusual aspects of the Firebase security model. I marked your question as a duplicate. – Frank van Puffelen Oct 08 '15 at 21:42
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/91792/discussion-between-angel-s-moreno-and-frank-van-puffelen). – Angel S. Moreno Oct 08 '15 at 22:41

0 Answers0