0

Using Transactions in Firebase is a great way to atomically modify the data, but how do I know that the user actually uses my code to insert data?

For example, what if the user gets a reference to the data location (using the browser console) and overwrites the previous data using set rather than clicking on the my pre-designed button which uses transaction in the background?

Update (an example):

var wilmaRef = new Firebase('https://docs-examples.firebaseio.com/samplechat/users/wilma');
wilmaRef.transaction(function(currentData) {
  if (currentData === null) {
    return { name: { first: 'Wilma', last: 'Flintstone' } };
  } else {
    console.log('User wilma already exists.');
    return; // Abort the transaction.
  }
});

Now, what if the user uses:

wilmaRef.set({name: { first: 'Wilma', last: 'Flintstone' }});
towi_parallelism
  • 1,421
  • 1
  • 16
  • 38
  • High-level answer below. But like your previous one, this question does not fit well into the Stack Overflow format. Add specific data structures and sample code to make it fit better. – Frank van Puffelen Feb 29 '16 at 11:59
  • @FrankvanPuffelen Updated the question with an example – towi_parallelism Feb 29 '16 at 12:07
  • It's still an [XY problem](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). Both operations have the same result. What abuse are you trying to prevent? For example: "I want to allow the user to only specify their name once, they cannot change it afterwards". If you spend some time on the [Firebase Security & Rules Guide](https://www.firebase.com/docs/security/guide/index.html), you'll find examples that implement this. – Frank van Puffelen Feb 29 '16 at 12:12
  • Thanks @FrankvanPuffelen, you are right. Maybe, I should spend more time learning the security rules. I think a rule like `".write": "!data.exists()" `could be helpful in this case. I will come back to this question after trying out some rules. – towi_parallelism Feb 29 '16 at 12:17

1 Answers1

1

The Firebase Database has no way to ensure that it's a specific piece of code that makes a modification. See my answer to this question for more on why knowing the URL of a resource is not a security risk: How to restrict Firebase data modification?

Firebase security works based on knowing who the user is and allowing them specific read/write operations based on that knowledge. Once you take that mindset, it doesn't matter if someone uses a JavaScript console to make changes to the database that is behind your Android app. As long as the JavaScript follows the rules that you've set for the user that runs it, the changes to the database are permitted.

Community
  • 1
  • 1
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • thanks for your answer, but if you give the write permission for a specific URL, then how can you guarantee that the write is done via transactions, and not a `set` – towi_parallelism Feb 29 '16 at 12:01
  • 1
    Just like there is no "how can I ensure only my app can write?", there also is not "how can I ensure that only a transaction can be used?". A transaction allows you to use the current value to determine the new value. In your security rules you'd validate such a transition too. – Frank van Puffelen Feb 29 '16 at 12:08