0

As of now I have below rules defined for my customer table.

{
  "rules": {
    "customers":{
      ".read": "auth != null", 
      ".write": "auth != null", 

      "$CID":{
        "UserId":{
          ".validate": "(data.exists() && data.val() == newData.val()) || newData.val() == auth.uid"
        },
        "CustomerName":{
          ".validate": "newData.isString() && newData.val().length < 100"
        },
        "CustomerCode":{
          ".validate": "newData.isString() && newData.val().length<4"
        },
        "CustomerLimit":{}
      }
    }   
  }
}

As you can see, that I have UserId under customers branch which would hold the value of the logged in user id. Each authenticated User can create customers which basically belongs to that particular user and read/get only those customers which was created by him.

But now when I read from database as below:

DatabaseReference mDatabaseReference= FirebaseDatabase.getInstance().getReference("customers");

This retrieves all the data under the customers. So I was thinking to add some read rule to the existing one as in 

"rules": {
    "customers":{
      ".read": "auth != null && auth.uid=loggedInUserId",  //something like this
    .....
    }
}

But I just couldn't find anywhere how it can be done here in the rules.

As an option I tried to write a query on UserId which always returned null even after passing valid logged in UserId.

Query query=mDatabaseReference.equalsTo(loggedInUserId,"UserId");

This method which I don't prefer as it would be best written in rules. Hope someone knows how we can add rules for this requirement.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Guruprasad J Rao
  • 29,410
  • 14
  • 101
  • 200
  • 1
    Firebase read permissions are enforced when you attach a listener. Either you can read from the location you attach to (and thus can read everything under it) or you can't read from the location (and thus the listener is rejected). Rules cannot be used to filter data. See the [Firebase documentation for that topic](https://firebase.google.com/docs/database/security/securing-data#rules_are_not_filters), [this original question](http://stackoverflow.com/a/14298525/209103) or any of [these questions](http://stackoverflow.com/search?q=%5Bfirebase%5D+rules+are+not+filters). – Frank van Puffelen Feb 16 '17 at 04:07
  • @FrankvanPuffelen Oh, so is it something like I need to create a node for each user [Not much users, some 10-50 in numbers] and then store customer details under that? – Guruprasad J Rao Feb 16 '17 at 04:10
  • Yes. I added some links to my initial comment. Usually you'll only allow the user to read their specific nodes in the master list and then create a so-called index under each user's node with the keys of the items they have access to. Somewhat similar to `groups` node in the [documentation on creating scalable data structures](https://firebase.google.com/docs/database/android/structure-data#fanout). – Frank van Puffelen Feb 16 '17 at 04:12
  • Thanks much @FrankvanPuffelen.. Pretty much clear now.. :) – Guruprasad J Rao Feb 16 '17 at 04:15
  • 1
    Good good. This is one of the hurdles everyone stumbles into when learning about Firebase's security model. Unfortunately it typically means that you'll need to restructure your data to allow the use-case, so I hope it's not too late for that. – Frank van Puffelen Feb 16 '17 at 04:23
  • @FrankvanPuffelen.. No no.. Its not too late.. I have just started working on the design.. :) I can restructure this.. :) – Guruprasad J Rao Feb 16 '17 at 04:25
  • @FrankvanPuffelen Could you please help me on **[this question](http://stackoverflow.com/questions/42268560/firebase-rules-validation-and-catching-validation-fail-in-android-application)**. Its been much time I am trying to find solution for this.. – Guruprasad J Rao Feb 16 '17 at 11:38
  • Or could you please help on **[this question](http://stackoverflow.com/questions/42274338/firebase-rules-validation-does-not-validate-data)**.. Am totally stuck on designing rules.. :( – Guruprasad J Rao Feb 16 '17 at 12:54

0 Answers0