Firebase authentication rule checks email

Question

I would like to only allow write permissions to authenticated users who have email addresses already in a user list.

My users list looks like this:

{
  "users" : {
    "-KeZg-MuD-4TEOiW9i0_" : {
      "email" : "example@gmail.com"
    }
  }
}

I've tried using rules like this:

"users": {
  ".write" : "root.child('users/email').val() === auth.token.email"
}
"users": {
  ".write" : "root.child('users.email').val() === auth.token.email"
}
"users": {
  ".write" : "root.child('users.email').child(auth.token.email).exists()"
}
"users": {
  ".write" : "root.child('users').child(auth.token.email).exists()"
}

But to no avail. When I try to add a new user like this, I still get a permission denied error:

firebase.database().ref('users').push({email: 'example@gmail.com'})

My snippets above are using example@gmail.com instead of the actual google authenticated user's email address, but the actual user is present in my users db list.

Can you give a code example of something you tried that didn't do what you expected? — Frank van Puffelen, Mar 06 '17 at 18:17
i'm adding users similar to the example i've added. I get a permission denied error afterwards. — okwme, Mar 06 '17 at 18:25
I can't make much of the code you shared. Can you share your actual JSON (since your rules are checking against `root`) as text? You can get this by clicking Export JSON in the [Firebase Database console](https://console.firebase.google.com/project/_/database/data/) — Frank van Puffelen, Mar 06 '17 at 18:58
here's an export of my database: http://pastebin.com/1KE20xz7 — okwme, Mar 06 '17 at 19:15
I'd like allow only the user who has google authenticated with the email example@gmail.com to have write permissions — okwme, Mar 06 '17 at 19:16
In the JSON you shared there is no path `/users/email`, so that rule will never be `true`. If you're looking to register unique email addresses, you should keep them as the key - not the value. See http://stackoverflow.com/questions/39149216/firebase-security-rules-to-check-unique-value-of-a-child-askfirebase, http://stackoverflow.com/questions/35243492/firebase-android-make-username-unique or my answer in this #AskFirebase video: https://youtu.be/66lDSYtyils?t=6m15s — Frank van Puffelen, Mar 06 '17 at 19:24
i'm not trying to keep them unique. I want to limit permissions to users who have an email in my list of users. — okwme, Mar 06 '17 at 19:34
That will lead to the same problem: you cannot in security rules search under a path for a specific *value*. You can check for the existence of a specific *key* though. — Frank van Puffelen, Mar 06 '17 at 19:57
aha! now I understand and your previous answer does help! thank you! would you like to put it in an answer and i'll mark it as accepted? — okwme, Mar 06 '17 at 20:03

score 2 · Accepted Answer · edited May 23 '17 at 11:53

In the JSON you shared there is no path /users/email. So this rule will never be true:

root.child('users/email').val() === auth.token.email

You cannot in security rules search under a path for a specific value. You can check for the existence of a specific key though. See Firebase security rules to check unique value of a child #AskFirebase, Firebase android : make username unique or my answer in this #AskFirebase video: https://youtu.be/66lDSYtyils?t=6m15s.

Firebase authentication rule checks email

1 Answers1