0

I've been creating an app and I'm close to releasing it to the public, I just need to touch upon the security part, I'm trying to get my rules to only allow users who haven't signed up yet (non-authorized users) the permission to look at everyone's username and email in the database but nothing else that's in their UID area. Obviously, if the user that owns the data is logged in then he can look at all of his data. Here's what I got so far:

{
  "rules": {
    "users":{
      "$uid":{
        "email":{".read": "true"},
        "username":{".read": "true"},
        "matchUrls":{".read": "true", ".write": "true"},
        "accountCreatedAt":{".read": "auth.uid === $uid"},
        "lastSignedInAt":{".read": "auth.uid === $uid"},
        "lastUsedApp":{".read": "auth.uid === $uid"},
        "matchesPlayed":{".read": "auth.uid === $uid"},
        "profileImageUrl":{".read": "auth.uid === $uid"}
      }
    }

Thanks, Nathan

  • What is the current and expected behavior? – Jeremy Jul 24 '18 at 20:56
  • @JeremyLee When the user goes to sign up the app looks through all the users to see if that specific username is taken by one of them, but when I sign up I get this error from the database: 'Listen at /users failed: DatabaseError: Permission denied' but if I gave everyone permission to look in the 'users' node the rules would be pointless anyway –  Jul 24 '18 at 21:00
  • 1
    You might need to re-structure your users data, you won't be able to search username because you haven't given read access to `users`. Perhaps create another property `/usernames/${uid}: 'username-string'` which can have a `.read: true` permission assigned. – sketchthat Jul 24 '18 at 23:23
  • That's indeed the right approach @sketchthat! Also see https://stackoverflow.com/questions/38648669/firebase-how-to-structure-public-private-user-data, https://stackoverflow.com/questions/19891762/firebase-security-rules-public-vs-private-data, https://stackoverflow.com/questions/38921824/how-to-create-public-private-user-profile-with-firebase-security-rules, https://stackoverflow.com/questions/46257960/how-to-store-public-private-data-under-a-node-and-still-query-the-entire-node?rq=1 – Frank van Puffelen Jul 25 '18 at 03:09
  • @sketchthat thank you, I'll try that :) –  Jul 25 '18 at 17:03

0 Answers0