I am trying to set security rules for accessing my Firebase database from a react native project. I currently have a root path tasks/ and within it are pushed task items. Each task has 3 children, the important one being the uid field that is populated with the user id when the user creates a task. Here is a sample task that would be located at tasks/randomtaskid:
{
"date" : "2017-12-11",
"ttRef" : "irrelevant",
"uid" : "DrL3j1cWVehas45ghmeQ"
}
I am trying to use the security rules to restrict read / write access to any task, only allowing users to create tasks with their own UIDs and read / query tasks that match theirs.
Here are my security rules regarding the tasks portion of my database:
"tasks": {
".indexOn": ["uid", "date"],
"$task": {
".validate": "newData.hasChildren(['date', 'ttRef', 'uid'])",
".write": "auth != null && newData.child('uid').val() == auth.uid",
".read": "auth != null && data.child('uid').val() == auth.uid",
},
},
The security rules simulator says that this does restrict access successfully - when I try to read / write to a task that doesn't match the uid it blocks access and it allows it when it does match, but when I attempt to access tasks from within my app, I get a permission denied error (that goes away once I go back to allowing all authenticated users read / write access to tasks/). Why would they be different and what can I do to fix my rules? Thanks!
Edit: code example that causes error:
firebaseRef.database().ref('tasks/').orderByChild('uid').equalTo(u).once('value')
.then(function(snapshot) {
var dates = [];
snapshot.forEach(function(child) {
dates[dates.length] = child.val().date;
});
resolve(dates);
});
