0

Database:

"user_locations": { 
   "123": {
     "user_id": "kcf3566"
   }

}

Rule:

"user_locations": { 
   "$loc_id": {
     ".read": "auth.uid == root.child('user_locations/$loc_id/user_id').val()",
     ".write": "auth != null"
   }

}

Per the above code, I am trying to allow ONLY users with the with a matching uid at the path user_locations > $key > uid to be able to read the data. I tried the above rule, however, I am unable to access the data.

The code that triggers the problem:

$scope.get_user_locations = function () {

    firebase.auth().onAuthStateChanged(function (user) {
        if (user) {

            var returned_locations = firebase.database().ref('user_locations/');
            returned_locations.on('value', function (snapshot) {
                $scope.user_locations = snapshot.val();
            });


        } else {
            $state.go('login');
        }
    });

};
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Tor Learner
  • 51
  • 3
  • Can you show the code that you're trying and that doesn't work? – Frank van Puffelen Dec 12 '17 at 01:17
  • By the way, this is an AngularJS 1 project. Here is the user_locations method: https://pastebin.com/w4TKn24v – Tor Learner Dec 12 '17 at 02:39
  • Firebase checks security rules when you attach the listener. You attach the listener to `user_locations`. Since you don't have read permission to `/user_locations` that listener is rejected. – Frank van Puffelen Dec 12 '17 at 04:00
  • It looks like you're trying to use security rules to filter the data that the user has access to. That is currently not possible: Firebase security rules cannot be used to filter data. This is known as [rules are not filters](https://firebase.google.com/docs/database/security/securing-data#rules_are_not_filters) in the documentation, and has also been covered quite a bit in [previous questions about that topic](https://stackoverflow.com/search?q=%5Bfirebase%5D+rules+are+not+filters). – Frank van Puffelen Dec 12 '17 at 04:02

1 Answers1

0

The security rules don't perform string interpolation on variables in path strings. Change your rule to this:

"rules": {
  "user_locations": { 
     "$loc_id": {
       ".read": "auth.uid == root.child('user_locations').child($loc_id).child('user_id').val()",
       ".write": "auth != null"
     }
   }
Bob Snyder
  • 37,759
  • 6
  • 111
  • 158
  • Tried your suggestion in the past without any luck... – Tor Learner Dec 12 '17 at 02:23
  • Hmm. The rule works for me using the simulator in the Firebase console. As Frank asks in his comment, please post the code that attempts to read the location. – Bob Snyder Dec 12 '17 at 02:37
  • 1
    Your code is reading at `/user_locations`, not `/user_locations/$loc_id`, so the rule is not applied. – Bob Snyder Dec 12 '17 at 03:44
  • 2
    @BobSnyder The read rule seems the same as `"auth.uid == data.child('user_id').val()"` to me, which makes it clearer what is happening. See my comment to the question. – Frank van Puffelen Dec 12 '17 at 04:04