Firebase Security Rules allowing conditional .read

Question

I want to create a firebase rule that allows users to read and write to child if a property of that child has a specific value. Let's say my database looks something like this:

"tasks": {
    "SDkh7s62jnd23d9": {
        "uid": "someuserid",
        "other": "datagoes here"
    }
}

Here is my current security rule:

"tasks": {
    ".indexOn": "_state",
    "$registerQueueKey": {
        ".read": "data.child('uid').val() == auth.uid",
        ".write": "newData.child('uid').val() == auth.uid"
    }
}

This rule restricts user write permissions, but it never lets a user read, even if the child they are attempting to read has a uid property that equals auth.id.

I then tested the following rule set:

"tasks": {
    ".indexOn": "_state",
    "$registerQueueKey": {
        ".read": true,
        ".write": "newData.child('uid').val() == auth.uid"
    }
}

Despite the .read permission being set to a permanent true value, the user still cannot read the $registerQueueKey child.

I then tested the following rule set:

"tasks": {
    ".indexOn": "_state",
    ".read": true,
    "$registerQueueKey": {
        ".write": "newData.child('uid').val() == auth.uid"
    }
}

Now I can read the child fine, so I attempted this final security rule:

"tasks": {
    ".indexOn": "_state",
    ".read": "data.child($registerQueueKey").child('uid').val() == auth.uid",
    "$registerQueueKey": {
        ".write": "newData.child('uid').val() == auth.uid"
    }
}

But this rule throws an error because the variable $registerQueueKey is undefined in the scope it is being used.

How do I accomplish a rule like this?

Firebase check read authorization on the location where you attach a listener. So either you can read from that location (and thus read everything under it), or you can't read from that location. This means that you cannot use security rules to filter content how you're trying here. This is known as [rules are not filters](https://firebase.google.com/docs/database/security/securing-data#rules_are_not_filters) in the documentation, in [this answer](http://stackoverflow.com/a/14298525/209103) and in [these other questions](http://stackoverflow.com/search?q=%5Bfirebase%5D+rules+are+not+filters). — Frank van Puffelen, Jan 27 '17 at 18:48
@FrankvanPuffelen So do I need to restructure my database so that the value I am attempting to check against is the key of that child? — Hurricane Development, Jan 27 '17 at 19:43

score 0 · Answer 1 · edited Dec 19 '17 at 17:04

0

I think the error is because you have not placed a wildcard:

"tasks": {
  "$uid": {
    ".indexOn": "_state",
    ".read": "data.child($registerQueueKey").child('$uid').val() == auth.uid",
    "$registerQueueKey": {
        ".write": "newData.child('$uid').val() == auth.uid"
    }
  }
}

edited Dec 19 '17 at 17:04

Patrick Haugh

59,226
13
88
96

answered Dec 19 '17 at 16:50

Magdiel Marquez

1
1

Firebase Security Rules allowing conditional .read

1 Answers1