What Firebase Security rules should I use to read the messages?

Question

I want only those users to read the messages whose uid is equal to either or both the to or from fields of message or if the 'to' section of the message is set to all.
This is my database:

{
"intents" : {
  "intentFields" : "",
  "intentName" : "",
  "to" : ""
},
"messages" : {
  "-KViVgc7ZG051eMXP0-5" : {
    "from" : "Ed",
    "name" : "Ed",
    "photoUrl" : "https://cdn1.iconfinder.com/data/icons/user-pictures/100/male3-512.png",
    "text" : "Hello, I'm Ed",
    "timeStamp" : "1476880306",
    "to" : "all",
    "type" : "text"
  },
  "-KWmsuvm0uJIf01eHfyN" : {
    "from" : "Capyv3mxQsUUn2W1nPOgcJ0Ex9T2",
    "name" : "Aakash Bansal",
    "photoUrl" : "https://lh5.googleusercontent.com/-oQyA4HXVycc/AAAAAAAAAAI/AAAAAAAAHKo/Ov0A0p0LjiY/s96-c/photo.jpg",
    "text" : "ho",
    "timeStamp" : "1479396273",
    "to" : "Ed",
    "type" : "text"
  }
}
}

I tries several rules, and read the Firebase documentation too. But none of the rules helped me achieve my result.

An example of the rules which I tried is :

{
"rules": {
  "intents" : {
    ".read" : "auth.uid === data.child('to').val()",
    ".write" : true
  },
  "messages" : {
    "$message": {
           ".read":  "auth.uid !== null",
           ".write": true
    }
  }
}
}

whereas the following set of rules works fine, although they don't achieve my desired result but they display all the messages in the app.

{
"rules": {
  "intents" : {
    ".read" : "auth.uid === data.child('to').val()",
    ".write" : true
  },
  "messages" : {
    ".read":  "auth.uid !== null",
    "$message": {
           ".write": true
    }
  }
}
}

Just to inform, I'm using firebaseui in the Android app to read the data. Please tell me if something is wrong in my understanding of 'firebase security rules'.

EDIT : Even the following set of rules are not working:

{
"rules": {
  "intents" : {
    ".read" : "auth.uid === data.child('to').val()",
    ".write" : true
  },
  "messages": {
    "$message": {
      ".read" : true,
      ".write": true
    }
  }
}
}

The android code that I use to read the data is:

mFirebaseAdapter = new MessageAdapter(FriendlyMessage.class,
       R.layout.message_my,
       RecyclerView.ViewHolder.class,
       mFirebaseDatabaseReference.child("/messages"));

How are you *reading* the messages? Because if you're trying to read `/messages` it will indeed fail with these rules. This is a common source of confusion, which we describe as [rules are not filters](https://firebase.google.com/docs/database/security/securing-data#rules_are_not_filters) in the documentation and in [this answer here](http://stackoverflow.com/a/14298525/209103). — Frank van Puffelen, Nov 17 '16 at 20:42
Where is your code? What are you actually reading? (hint: Puf's comment above is almost certainly the answer, but can't tell without code) — Kato, Nov 18 '16 at 01:24
Yes puf, I've put firebaserecycleradapter at /messages, where should I put it to get the messages? — rahul singhania, Nov 18 '16 at 03:30

ksav · Answer 1 · 2016-11-17T18:30:50.533

0

{
  "rules": {
    "messages": {
      "$message": {
        ".read": "auth.uid === data.child('to').val() || auth.uid === data.child('from').val() || data.child('to').val() === 'all' ",
        ".write": true
      }
    }
  }
}

edited Nov 17 '16 at 18:30

answered Nov 17 '16 at 18:28

ksav

20,015
6
46
66

no sir, it is not working. Although I have already tried this solution and some more similar solutions, but I am not getting any data in the app – rahul singhania Nov 17 '16 at 18:40
What is not working? What are you attempting to do? What errors are you getting? – ksav Nov 17 '16 at 18:49
I am reading the messages by using recycler adapter in Android, and by 'not working', I mean messages are not being displayed in the app – rahul singhania Nov 17 '16 at 18:53
And your auth.uid is `Capyv3mxQsUUn2W1nPOgcJ0Ex9T2`? – ksav Nov 17 '16 at 19:37

What Firebase Security rules should I use to read the messages?

1 Answers1