0

I have a Post object that has a userID and categoryID. I'm trying limit a user to create one post in one category. My database:

posts: {
    ID: {
        body: "Post Body",
        ownerID: "Mike",
        categoryID: "books"
    }
}

users: {
    "Mike": {
        completeName: "Mike Douglas"
    }
}

I don't want to allow 'Mike' to create another Post using category 'books'.

My Firebase's rule:

 {
    "rules": {          
        "post": {
          ".read": true,          
          ".write": "(data.child('ownerID').val() != auth.uid && data.child('categoryID').val() != newData.child('categoryID').val())",       
          ".validate": "newData.hasChildren(['body', 'ownerID', 'categoryID'])",
          "$other": { ".validate": false },               
        }
    }
}

Do Firebase has an way to explain that I'm talking about the same data?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Makah
  • 4,435
  • 3
  • 47
  • 68
  • There is no way in security to ensure a unique value on that level. To ensure uniqueness you'll want to use the value (`books`) as a key instead. See https://stackoverflow.com/questions/35243492/firebase-android-make-username-unique, https://stackoverflow.com/questions/39149216/firebase-security-rules-to-check-unique-value-of-a-child-askfirebase, https://stackoverflow.com/questions/25294478/how-do-you-prevent-duplicate-user-properties-in-firebase, https://stackoverflow.com/questions/42039792/firebase-rules-for-unique-child-name – Frank van Puffelen Dec 08 '17 at 04:14
  • @FrankvanPuffelen, don't you think that it's a bad thing about Firebase? Think about Tripadvisor or IMDB app where want to limit one comment per user per movie/hotel/restaurant. [It is not trusteble to limit comment in cliend-side]. I think the only way is create a POST cloud function like createComment() and block ".write" directely from realtime database. – Makah Dec 08 '17 at 21:34
  • Your relational database probably does the same behind the scenes: it creates an index for the values, and rejects duplicates from that auto-index. Using your unique values as a key, means that you align your app requirements with the system behavior. That's the cheapest way to get this behavior, and thus the most scalable approach. – Frank van Puffelen Dec 08 '17 at 22:39
  • @FrankvanPuffelen sorry to take your time with this question but i'm little bit confuse now. Do you think that a robust website like IMDB could create a client-side hash and create an index with this (like your example https://stackoverflow.com/questions/39149216/firebase-security-rules-to-check-unique-value-of-a-child-askfirebase). What do you suggest like best practice? [cliend-side index; cloud function POST; ....] – Makah Dec 09 '17 at 01:23

0 Answers0