0

Doing CRUD in firebase is pretty easy and neat IMO. But I am confuse on how to protect the whole database.

So I have this database rules : 

{
    "rules": {
        ".read": "auth != null",
        ".write": "auth != null",
    }
}

Let's say I have a bunch of data on my database. If the user is not yet authenticated this code firebase.database().ref('/').set(null) is replying a permission_denied error which is normal.

But the problem is once a certain user logs in and gets authenticated, this code firebase.database().ref('/').set(null) will delete the entire database.

How do I secure this kind of setup? Also when I tried this code firebase.database().ref('/').set(null) on the javascript web console it still deletes the data.

jofftiquez
  • 7,548
  • 10
  • 67
  • 121
  • Firebase's security rules allow fine-grained control over who can perform what operation on specific data. See the docs for a good introduction: https://firebase.google.com/docs/database/security/ – Frank van Puffelen Sep 11 '16 at 16:07
  • Hi @FrankvanPuffelen on this sample rules (link below), how does the model should look like exactly? https://firebase.google.com/docs/database/security/user-security#section-variable – jofftiquez Sep 11 '16 at 17:20
  • That has a `/users` with under there a node for each user. – Frank van Puffelen Sep 12 '16 at 00:40
  • So are they like `users{ uid1:{name:foo}, uid2:{name:bar}, uid3:{name:baz} }` **or** `users{ user:{user_id:uid1,name:foo}, user:{user_id:uid2,name:foo}, user:{user_id:uid3,name:foo} }`? @FrankvanPuffelen – jofftiquez Sep 12 '16 at 02:15
  • The first. Try it in the Firebase Console. Create a data structure, write rules, test, and repeat. – Frank van Puffelen Sep 12 '16 at 02:56

0 Answers0