Firebase Rules permission denied but why?

1
votes

This are my rules:

{
  "rules": {
    "freecoinsrequest":{
      ".read": false,
        ".write": "
      newData.child('uid').val() == auth.uid 
       1. && (root.child('users').child(auth.uid).child('/server/lasttimetookfreecoins').val() < now - 10000 
       2. || !root.child('users').child(auth.uid).child('/server/lasttimetookfreecoins').exists())
       " ,
      "uid":{
        ".validate" : true
      },
        "$other":{
          ".write": false,
          ".validate": false
        }
    },
  }
}

So a user should only be able to write to the path if:

  • the JSON contains "uid" as a key, and his uid as a value
  • He did not write to server/lasttimetookfreecoins within 10 seconds ago OR
  • He never wrote to server/lasttimetookfreecoins

I can not understand why it gets denied in the simulator. When I uncomment 1 and 2, as seen in the rules, it works.

Thanks.

1
firebasefirebase-realtime-databasefirebase-security

1 Answers

1
votes

In my testing, the rules produced the desired results when /users/$uid/server/lasttimetookfreecoins existed but failed when it did not. Reversing the order of the conditions fixed that:

  newData.child('uid').val() == auth.uid 
    && (!root.child('users').child(auth.uid).child('/server/lasttimetookfreecoins').exists()
    || root.child('users').child(auth.uid).child('/server/lasttimetookfreecoins').val() < now - 10000)