13

I am trying to set up a Firebase database that only I can write. So no user will have permission to write anything. But everyone will be able to read it.

However, I could not set up the rules for it. I have one admin user that I created using Email/Password login, and I know its UID. Let's say my UID is: dJrGShfgfd2

I tried these two methods, but they didn't allow me to write to database.

{
  "rules": {
    "events": {
      ".read": true,
      ".write": "auth.uid === 'dJrGShfgfd2'"
    }
  }
}

.

{
  "rules": {
    "users": {
      "$user_id": {
        ".read" : true,
        ".write": "$user_id === 'dJrGShfgfd2'"
      }
    }
  }
}

So how do I allow only one user with a specific UID to write anything to database?

yigitserin
  • 355
  • 1
  • 2
  • 13
  • The rules in the first snippet should be okay. They should grant write access to the `events` path for the admin and read access for others. – cartant Jan 20 '17 at 20:41
  • Wait I dont have events path or something in my database. How do I define write rules that apply everywhere? – yigitserin Jan 20 '17 at 20:53
  • You have `events` in your rules hierarchy. If there is no such key in the database, remove it and move the `.read` and `.write` up under `rules`. – cartant Jan 20 '17 at 21:06
  • Answer below. If that doesn't work, share the minimal code that reproduces the problem: so the code that is allowed to write, that you don't want to be allowed. – Frank van Puffelen Jan 21 '17 at 04:47

2 Answers2

27

This should work:

{
  "rules": {
    ".read": true,
    ".write": "auth.uid === 'dJrGShfgfd2'"
  }
}

Everyone in the world will be able to read the data, but only the user with UID dJrGShfgfd2 (and processes with administrative access) can write the data.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • can you do this completely on client side only, meaning can you have paid members vs members system without having a backend. How would i go about that if user pays they become a member. – Muhammad Umer Apr 15 '17 at 01:59
  • what you can do is to check for a variable on the server that is saying that they have paid already. After which, you can add the rule on the permissions to check if it that variable is `true` meaning to say the user paid or `false` meaning to say the user did not pay – CraftedGaming Nov 23 '17 at 10:06
  • 4
    How can I do this with an email instead of an uid? – Tomer Jan 10 '18 at 21:40
0

In version 2:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {

      allow read: if true;
      allow write: if request.auth.uid == "dJrGShfgfd2";

    }
  }
}
Yuno
  • 23
  • 6