0

I have a list of objects which look like this when they are created:

{
  owner: "<user uid>",
  pending: true,
  origin: { ... },
  destination: { ... },
  fare: { ... },
  driver: {
    user: null,
    ...
  }
}

I need to write rules such that:

  1. Anyone can insert a new object
  2. Anyone can read objects
  3. Anyone can claim an object, by setting pending: false, and driver.user: <their uid>. They should only have write permission on pending and driver.*
  4. Once an object has been claimed, no one else should be able to modify it except the original owner, and driver.user (driver.user should only be able to modify pending and driver.*)

Is this possible, and if so what would these rules look like?

This is not a duplicate, it has nothing to do with Getters or Setters. This is a question about Firebase Rules - https://firebase.google.com/docs/database/security/securing-data

Benedict Lewis
  • 2,733
  • 7
  • 37
  • 78
  • Have a look at using [getters and setters](http://stackoverflow.com/questions/812961/javascript-getters-and-setters-for-dummies). You can apply some access validation in them. – Cerbrus Apr 26 '17 at 09:39
  • @Cerbrus These only provide client-side validation. I need these rules on Firebase, or anyone could create a client without validation and do whatever they want – Benedict Lewis Apr 26 '17 at 09:44
  • So, why did you tag this with JavaScript then? – Cerbrus Apr 26 '17 at 09:46
  • I'm using the Javascript library for Firebase – Benedict Lewis Apr 26 '17 at 09:47
  • ... And you can just use getters / setters in there, right? I mean, the JS code you write just gets compiled into a native app in the end, not? What other language are you working in if JS isn't it? – Cerbrus Apr 26 '17 at 09:48
  • It does get compiled into a native app, however if the rules aren't configured with Firebase there's nothing to stop anyone decompiling the app, finding the connection information and modifying data with no restrictions. – Benedict Lewis Apr 26 '17 at 09:52
  • @Cerbrus Firebase has it's own server side rules that secure the data on the server side. The rules are used to set read/write access to particular nodes at the server level. It's not so much a Javascript question but the tag does let us know the OP's platform. OP: we really need to see a snippet of the exact Firebase structure - Firebase Console->Three dots on right->export JSON and include that in the question. You should also post the rules you've tried so far. – Jay Apr 26 '17 at 16:54

0 Answers0