Firebase Database Rules

1
votes

I'm having some issues wrapping my head around the database rules and the documentation isn't helping. I am trying to set things up so that only the user can delete their own items, however at the moment I'm getting permission_denied errors. I am assuming that it is because I don't have a read/write rule on the 'items' level. However I feel that if I just added a 'auth != null' rule it would give to much permission. Any thoughts?

the database setup:

users:
{
    user_1 {
        items:
        {
            item_1: true,
            item_2: true,
        }
    }, 
    user_2 {...},
    etc {...},
}, 
items:
{
    item_1
    {
        user: "user_1"
        ....
    }, 
    item_2
    {
        user: "user_1"
        ....
    }, 
}

The database rules look like

{
    "rules": {
        "users": {
            "$uid":{
               ".read": "auth != null && auth.uid==$uid",
               ".write": "auth != null && auth.uid==$uid"
            }
        },
        "items": {
            "$itemID": {
               ".read": "root.child('Users/'+auth.uid+'/'+$itemID).exists()", 
               ".write": "root.child('Users/'+auth.uid+'/'+$itemID).exists()"
            }
        }
    }
}
1
firebasefirebase-realtime-databasefirebase-security
Don't know if it cases sensitive or a typo but you've got Users/ in your item rules, but the node name is items!Rich
Also the path to a users items is users/uid/items and not just users/uidRich
your push id for items is equal to user's auth.id, right?AtaerCaner
Keep in mind that rules aren't filters. If you're going to query against users/ or items/ and not access records directly by their key, then you need a rule to allow access at that level, too.Kato

1 Answers

3
votes

At the moment any user can delete any item.

To ensure that only the owner can delete the item, you need to not just verify that:

   "items": {
        "$itemID": {
           ".read": "auth.uid == data.child('user').val()", 
           ".write": "auth.uid == data.child('user').val()"
        }
    }

There is no need to check if they exist in the /users node as far as I can tell, although you can easily add that back if needed.

But if a user can only read/write their own items, I'd model the data differently:

"items": {
    "$uid": {
        ".read": "auth.uid == $uid", 
        ".write": "auth.uid == $uid"
        "$itemID": {
        }
    }
}

This is much simpler to model and will give you much better scalability, since the database only ever has to consider the data for one user.