1

Overview

When using the Realtime Database in Firebase, I am able to edit and bypass rules. I see how this is convenient in some cases, but I would like to apply rules to manually submitted data as well.

Example

Here's the most simple write rule to disable writes anywhere. With the rule simulator, I am not able to write, as expected.

Can't Write in Simulator as Expected

However, even once I've saved the rule, I can still write in my database.

Can Still Write in Editor Unexpectedly

Today is my first day using Firebase rules. Am I confused about rules or is there no option to disable bypassing rules in the manual editor?

Community
  • 1
  • 1
Matt Goodrich
  • 4,875
  • 5
  • 25
  • 38
  • The Firebase console runs as an administrative process and doesn't enforce your security rules. This is by design, because you should typically only use the console during initial development (when your rules are still very much in flux) and for some exceptional administrative tasks (which you typically don't enforce in rules). For everything else: use application code, potentially in a custom, administrative dashboard for your app's regular administrative tasks. – Frank van Puffelen Feb 16 '18 at 11:02

2 Answers2

2

You will be able to write to the database manually from the console(no there is no option), but using the rules above ".write": "false", it means that the end user wont be able to write to the database.

The person adding manually to the database, is usually the admin. That is why even if it is write:false it will still add to the database.

But if for example you have this:

  Class
     randomid
      Keys:values

Then the user that will create the class in his phone won't be able to send data to the database since write:false

Even if you have this:

  {
"rules": {
      ".read": "false",
      ".write": "false",  
   }
 }

You will still be able to see the data in the console, but the end user won't be able to read or write to the database.

Peter Haddad
  • 78,874
  • 25
  • 140
  • 134
  • That's unfortunate. Thank you for the confirmation. Do you think this would be a beneficial feature? For example, I don't want manually entered information to violate conditions and break my applications. I will accept your answer within 24 hours, but wait in case somebody happens to have a contrary response (doubt it). – Matt Goodrich Feb 16 '18 at 09:33
  • You are the only person that can access that console, so you are the only person that can add manually. If you do not want to break the application, then do not add manually, as when you change the rules you are also affecting the end user (he wont be able to see the data that he wrote when he wants to retreive) – Peter Haddad Feb 16 '18 at 09:35
  • 1
    Thanks for explanation. My specific case is setting config values where users will only read, but accidental types in manually entered data would be harmful. And definitely! Feel free to reciprocate :) – Matt Goodrich Feb 16 '18 at 09:49
0

Remove the last comma.

{
     "rules": {
         ".read": "false",
         ".write": "false"
     }
}

and publish changes, than test.

Note that you can add values anyway, because you own that database and use it from console. If you use it from a SDK (Android, iOs, Node, etc), you won't be able to write data.

Cătălin Florescu
  • 5,012
  • 1
  • 25
  • 36