5

Information that is given below is straight from Firebase website.

{
  "rules": {
    "users": {
      "$user": {
        ".read": "auth.uid === $user",
        ".write": "auth.uid === $user"
      }
    }
  }
}

When a client tries to access /users/barney, the $user default location will match with $user being equal to "barney". So the .read rule will check if auth.uid === 'barney'. As a result, reading /users/barney will succeed only if the client is authenticated with a uid of "barney".

Firebase is good at documenting, but I didn't find any deep discussion about using "==" or "===". As long as I know it works like how JavaScript does.

According to their documentation

if auth.uid === 'barney'. As a result, reading /users/barney will succeed only if the client is authenticated with a uid of "barney".

Sometimes I've seen 

"$user": {
        ".read": "auth.uid == $user",
        ".write": "auth.uid == $user"
 }

So my question is which one is the right way to do it? What is happening when we use "==" and "===" in rules?

user2884707bond
  • 559
  • 4
  • 24
  • What about your question is different from [the one you linked](http://stackoverflow.com/questions/359494/which-equals-operator-vs-should-be-used-in-javascript-comparisons)? As far as I can tell, the answers there answer your question. Given that [here](https://www.firebase.com/docs/security/quickstart.html) it claims the expressions are "JavaScript-like," and so barring documentation to the contrary, the same meaning of `==` and `===` presumably applies? – T.J. Crowder Aug 12 '16 at 18:00
  • I want to know if Firebase treats "==" and "===" same! – user2884707bond Aug 12 '16 at 18:06
  • Well, it says the syntax is "JavaScript-like." Unless they tell you something else, doesn't that tell you what `==` and `===` do? – T.J. Crowder Aug 12 '16 at 18:07
  • I thought it does like Javascript, but I haven't been able to find about that. Even if they do "auth.uid === 'barney'" it would contradict their document. Because if they use "===" that means they are checking if th auth.uid is also string and not comparing the content of "auth.uid"! – user2884707bond Aug 12 '16 at 18:10
  • @user2884707bond "Used to check if two variables in a rules expression have the same type and value" – 4bottiglie Nov 08 '17 at 23:31

2 Answers2

6

If you consult the Firebase Database Security Rules API documentation, you will see the following definitions for equals:

=== (equals)

...
Note:: == IS TREATED AS ===. If you use == in your security rules, it will be translated to === when the rules are run.

and for not equals:

!== (not equals)

...
Note: != IS TREATED AS !==. If you use != in your security rules, it will be translated to !== when the rules are run.

cartant
  • 57,105
  • 17
  • 163
  • 197
1

I think Firebase treats all === as == (similarly all !== as !=).

My evidence is that the Bolt Compiler converts triple operators in your bolt file to double operators in the rules JSON output.

whatsthatitspat
  • 691
  • 1
  • 7
  • 20