Issue with defining database rules

Question

I have 2 nodes in the realtime database, users and customers. Both of them are related by the the attribute company, which is one more node.

The users collection is as follows.

    {
       users: {
      "2E6G3TCoBcONAh4Wt0TWMVcibgV2": {
        "companyid": "-KyeTbr9N-xEdpPElgjx",
      },
      "5mAfDeQchdROHsmxUVy8AqruGKF2": {
        "companyid": "-KyeTbr9N-xEdpPElgjx",
       },
      "6YoDdETq2He6kt5G3TE9RY0iLDr1": {
        "companyid": "-KvzqkH6FPauk3Giea12",
      }
     }
   }

The customers node is as follows.

customers: {
  "-KyUi8lpt9kSYcT1ForR": {
    "company": "-KyB8grqQDb1Bk23Ob9A",
  },
  "-KyUiKrcwLuxOh9SHru2": {
    "company": "-Ky7cg9AMvVuFQLZzmyM",
  },
  "-KyUijwDpYQctATFRKU1": {
    "company": "-KyB8grqQDb1Bk23Ob9A",
  }
}

The idea is that the user only gets to see the customers of his company. For this, the auth rule I put is

{
  "rules": {
    ".read": false,
    ".write": false,
    "users" : {
      ".read": "auth != null",
      ".write": "auth != null"
    },
    "customers": {
      "$uid": {
        ".read": "root.child('users').child(auth.uid).child('companyid').val() == data.child('company').val()"
      }
    }
  }
}

however, after this I still am not able to get the data from the database. When I do a query with the angularfire2 sdk, it does not return any value.

I need help regarding this. Thanks in advance.

Edit:

This is the code I am using to read data from the database.

getallCustomers() {
     console.log("Getting all the Customers.");                                                                                                          
     return this.afDB.database.ref('customers');
 }

Can you edit your question to include the code that you use to try and read the data. But an educated guess is that you're querying on `/customers`. Firebase enforced the rules when you attach the listener. Since you don't have read permission on `/customers` the listener is rejected. For this reason rules cannot be used to filter data. See the [docs](https://firebase.google.com/docs/database/security/securing-data#rules_are_not_filters) and [previous answers](https://stackoverflow.com/search?q=%5Bfirebase%5D+rules+are+not+filters) (and [this one](https://stackoverflow.com/a/14298525)). — Frank van Puffelen, Nov 16 '17 at 15:08
Thank you for the reply. Then how do we rerstrict the data that is being sent to the client. We do not want users to see the data of another company. — Raghavendra Gautam, Nov 16 '17 at 15:12
Added the code for querying the database. Also, in that case, what is the best way to structure the data or have the rules. Just your opinion. — Raghavendra Gautam, Nov 16 '17 at 15:28
OK. As suspected you're indeed trying to filter data through security rules, which isn't possible. The links I provided should give you some ideas on possible alternative structures, all of which involve some measure of duplicating data in places that are easier to secure. — Frank van Puffelen, Nov 16 '17 at 15:40

Issue with defining database rules

0 Answers0