0

I have the following form of database 

Database
    users
        <UID>
            user
                <other information>

I am trying to read all my users in admin mode and only allow individual users to access their own information.

I am trying this rule:

"users": {
    "$uid": {
        ".read": "auth != null && (auth.uid == $uid || root.child('users').child(auth.uid).child('user').child('admin').val() == true)",
        ".write": "auth != null &&  !newData.child('admin').exists() && (auth.uid == $uid || root.child('users').child(auth.uid).child('user').child('admin').val() == true)"
    },
    ".indexOn": ["userid"]
},

I am doing the following query and I see the following error:

allusers = $firebaseArray(firebaseDataService.root.child('users'));

permission_denied at /users: Client doesn't have permission to access the desired data.

Any idea what I am doing wrong here ?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Ahsan
  • 2,964
  • 11
  • 53
  • 96

1 Answers1

2

When you attach a listener to /users, the Firebase server checks whether you have read permission on /users. If not, it rejects the listener.

This is a common source of confusion for developers new to Firebase. Coming from a SQL/relation mindset, we are used to use security to perform (server-side) filtering. In Firebase you cannot use security rules to filter data.

I'll add a few relevant links below for further reading:

Community
  • 1
  • 1
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Frank, I am not using the security rules to filter data. For individual users, I go to the specific nodes. For admins, I go to /users. I am trying to make sure that only admins can go and read all user data and not anyone else. – Ahsan Aug 28 '16 at 20:41
  • If you want to give an administrator access to `/users`, you need to have a `.read` rule for that on `/users`. – Frank van Puffelen Aug 28 '16 at 20:48
  • Not sure why I didn't do that already. Works for me now that I have added it. Thanks – Ahsan Aug 28 '16 at 21:27