0

I can't figure out how to filter data using Firebase database. I've read that rules can't be used for filters. But then how?

I'd like a datastructure somewhat like the one below. i.e. a list of posts created by different users due for a specified time (user-id is not included in the layout below as I'm not sure where to put it)

posts: {
  "-LKwbZsfy55d24kwX4t1" : {
      when: {
        from: "2019-01-01 10:00",
        to: "2019-01-01 11:00"
      content: {
        text: "Hello"
      }
  },
  "-LKwbZsfy55d24kwX4t2" : {
      when: {
        from: "2019-01-02 10:00",
        to: "2019-01-02 11:00"
      content: {
        text: "Another hello"
      }
  }
}

I would like everyone to be able to read all posts so my sync path is '/posts'

BUT only the user that created the post should be able to see the 'content'. So I somehow need to say that posts has ".read" : true, and content has ".read": $uid == auth.uid (which is not possible since access cannot be revoked by a child path)

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
Barsum
  • 128
  • 1
  • 2
  • 13

2 Answers2

2

If your current data structure makes it impossible to secure the data to your needs, considered restructuring it so that security rules become possible. In other words, don't nest protected data under public data. Put protected data in its own top-level child.

"posts-public": {
    "-LKwbZsfy55d24kwX4t1": {
        // public data here
    }
},
"posts-private": {
    "-LKwbZsfy55d24kwX4t1": {
        // private data here
    }
}

Now you can write security rules to protect them independently from each other.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • Sigh! I was hoping to avoid that. I guess this means that I will need to make two writes to Firebase, and I will have to create the id of the posts myself (not letting Firebase generate id). Then I would listen to both 'posts-public' and 'posts-private' and merge them whenever both structures has arrived? – Barsum Jan 09 '19 at 07:29
  • 1
    Sure, if that's what you app needs to do to get all the data. – Doug Stevenson Jan 09 '19 at 07:41
0

".read": "true", gives everyone to read data

And it should be looks like this (just for example):

"posts": {
      ".read": "true",
      "$postId": {
        ".read": "true",
        ".validate": "root.child('posts/'+$postId).exists()",
        "$contentId": {
            ".read": "auth !=null",
            ".write": "auth != null",
            ".validate": "(newData.hasChildren(['content']))",
             "content": {
                ".validate": "newData.val().length > 0"
            },
           "user": {
             ".validate": "newData.hasChildren(['id', 'name', 'avatar'])"
           }
         }
      }
    },
    "privatePost": {
      "$uid1": {
        "$uid2": {
          ".read": "auth != null && ($uid1 === auth.uid || $uid2 === auth.uid)",
          "$postId": {
            ".write": "auth != null",
            ".validate": "(newData.hasChildren(['content']))",
            "content": {
              ".validate": "newData.val().length > 0"
        },
            "user": {
              ".validate": "newData.hasChildren(['id', 'name', 'avatar'])"
            }
          }
        }
      }
31113
  • 399
  • 4
  • 18
  • "$contentId": { ".read": "auth !=null", Won't have any effect, as there is a ".read:true" in parent? – Barsum Jan 09 '19 at 07:35