0

So I have a Firebase that contains a list of objects all belonging to different vendors. I have restricted access to the locations using the rule:

{
  "rules": {
    "purchases": {
      ".indexOn": "code",
      "$purchaseId": {
        ".read": "root.child('vendors').child(data.child('vendor').val()).child('id').val() == auth.uid",
        ".write": "root.child('vendors').child(data.child('vendor').val()).child('id').val() == auth.uid"        
      }
    }
}

This rule works as expected in the simulator.

I now want to run a query on the purchases as a logged in vendor to only retrieve my purchases. The query itself works fine if I have full admin access (i.e. from a token-based auth login), but doesn't work from a vendor (email/password) login.

Is this not possible?

I just want to return all the purchases that are authorised for my login.

My query is like this

var ref = new Firebase("https://example.firebaseio.com");
var query = ref.orderByChild("vendor").equalTo(vendorId);
query.on("child_added", function(purchases) {
  console.log(purchases.val());
});

Is there another way of achieving this without restructuring my Firebase?

stukennedy
  • 1,088
  • 1
  • 9
  • 25
  • You can only query data if you have read access at the root location of the query. So Firebase rules cannot be used to filter out data you don't have access to: https://www.firebase.com/docs/security/guide/securing-data.html#section-filter. – Frank van Puffelen Oct 25 '15 at 00:32
  • thanks for that, that's what I suspected. Having thought about it a bit, it makes sense to prevent DDOS attacks where unauthorised users can execute expensive queries. – stukennedy Oct 25 '15 at 07:25

0 Answers0