1

I got firebase database structure like this:

database
   - chat
        -user1
             -user2
                -chat1
                   -message : a
        -user2
             -user1
                -chat1
                   -message : a
             -user3
                -chat1
                   -message : a
         -user3
             -user2
                -chat1
                   -message : a

The question is, how do I prevent user (in case user1) to write chat message to user2 from user3.

example:

Im user1 with javascript command

firebase.database().ref("chat/user2/user3/chat2").set({
     message: "HAHA"
});

Command above said that me as user1 to write new chat for user2 from user3 with message "HAHA". I want to prevent this case with firebase rules. can someone help me how to write the rules and sign in method should I use?

Thank You.

RaiN
  • 152
  • 1
  • 9

2 Answers2

1

It looks like you have a structure as follows:

chats
    $recipientUid
        $senderUid
            $chatMessageId

Securing that only the sender can write would be:

{
  "rules": {
    "chat": {
      "$recipientUid": {
        "$senderUid": {
          ".write": "auth.uid == $senderUid"
        }
      }
    }
  }
}

It is more common to store the messages between specific users in a chat-room like structure though. See Best way to manage Chat channels in Firebase

Community
  • 1
  • 1
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Thanks for the answer sir, but now the problem is that uids are not uids genereated from firebase user.. it's a string from user (username).. can I compare senderUid with specified string from user? I think I cant restructure the database now.. over 500 people have used it and I cant delete all of those chats.. – RaiN Aug 12 '16 at 03:50
  • In order to secure access to the data to specific users, you must have some way in the security rules to associate nodes with specific users. That can only be done through the `auth` variable. The most common property to use is `auth.uid`. Unless you are minting custom tokens, your `username` won't be part of the auth variable, so it won't be possible to secure access based on that. – Frank van Puffelen Aug 12 '16 at 03:55
  • How about auth.token.name? Can I use that, sir? – RaiN Aug 12 '16 at 04:05
  • Unless you're minting custom tokens (which I highly doubt), there is limited information that's available in the `auth` variable. What is the username that you use? Where does it come from? If it's something the user enters in your app, it doesn't magically appear in the `auth` variable. But you might be able to map the `auth.uid` to a username somehow. Note that all of this information would be very useful in your original question. Use the [edit](http://stackoverflow.com/posts/38901764/edit) link to add it. – Frank van Puffelen Aug 12 '16 at 04:14
0

Have you try the data structure from firebase documentation? because in your case i think it's kinda impossible to do that, therefore you need to flattened your database structure. Even though you might be able to use wildcards, but it still tough to do since in one client there is only one uid, therefore you can't really write "chat message" in other user's node without knowing their uid at the frontend.

My advice, try to modify the structure by thinking "how chat participant can access their own chat database?" that you can simply use rules that each user can write to their own node in that "chat room" which others can read. CMIIW

regards,

R. M.

R. M.
  • 41
  • 3