0

I want to give .write permission to posts' node for admins/moderators only. But for its two attributes stars and starCount any authenticated/valid user can write.

i.e I want to give .write permission to two nodes(stars and starCount) to every valid user. How to achieve this?

My current database rules:

{
  "rules": {
    "users":{
      "$uid":{
      ".read":"auth.uid === $uid",
      ".write":"auth.uid === $uid",
      ".validate": "!data.exists() && newData.hasChildren(['id','photoUrl','role','username']) && auth.uid === $uid"
        }
    }, 

    "posts":{
      "$post":{
                ".read":"auth.uid != null",
                "stars":{
                      ".write":"auth.uid != null"
                },
                "starCount":{
                    ".write":"auth.uid != null",
                },
                "author":{
                    ".write":"auth.token.role.matches(/moderator$/)"   
                },
                "approvedBy":{
                    ".write":"auth.token.role.matches(/moderator$/)"
                },
                "body":{
                    ".write":"auth.token.role.matches(/moderator$/)"
                },
                "commentcount":{
                    ".write":"auth.token.role.matches(/moderator$/)" 
                },
                "title":{
                    ".write":"auth.token.role.matches(/moderator$/)" 
                },
                "timeStamp":{
                    ".write":"auth.token.role.matches(/moderator$/)" 
                },
                "url":{
                    ".write":"auth.token.role.matches(/moderator$/)" 
                },
                "uid":{
                    ".write":"auth.token.role.matches(/moderator$/)" 
                },
                "url_profile_pic":{
                    ".write":"auth.token.role.matches(/moderator$/)" 
                }
                    }

Database Schema Image:

database_schema_image

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Anil
  • 1
  • 4
  • The rules look reasonable (although it's a bit much to parse quickly). If you're having trouble it's most likely because you're trying to read from `posts` with a user that doesn't have permission there. Firebase Database security rules can not be used to filter data. See [this section on the docs](https://firebase.google.com/docs/database/security/securing-data#rules_are_not_filters), [this answer](http://stackoverflow.com/a/14298525/209103) or [any of these answers](http://stackoverflow.com/search?q=%5Bfirebase-security%5D+rules+are+not+filters) for a lot more about it. – Frank van Puffelen Jan 18 '17 at 15:50
  • "posts" node have several attributes and I gave each attributes seperate .write permission according to my need. As my rule says any authenticated user can have .write permission for "stars" and "starCount" attributes.Unfortunately it is not working. – Anil Jan 19 '17 at 04:51
  • Please post the [minimal complete code that is failing to read/write](http://stackoverflow.com/help/mcve). – Frank van Puffelen Jan 19 '17 at 04:54
  • Thanks @Frank,I was defying 'Rules Are Not Filters',I need to restructure my database. – Anil Jan 24 '17 at 04:37

0 Answers0