Firebase security rules, data variable

1
votes

I have a database schema like this:

  • Posts
    • unverified
      • post_1
      • post_2 ...

And here is a shortened list of data in /posts/unverified path 

{
  "-L7xmY2HMeEImDZnZqTf" : {
    "categorie" : 0,
    "commonFields" : {...},
    "fbKey" : "-L7YM7vEf8RpcxGUTpDE",
    "images" : [...],
    "specialFields" : {
      "area" : "150",
      "productPrice" : {
        "currency" : "dollar",
        "value" : "65000"
      },
      "requestType" : "sell",
      "requesterType" : "personal",
      "roomCount" : 3,
      "suburbia" : "false"
    },
    "subCat" : 0,
    "timestamp" : 1521011840178,
    "uid" : "Fo5f6VonWgQVpsf6u80TPgoi2it2"
  },
  "-L7YNUZPL1-Dl7EhScEE" : {...},
  "-L7YNUZPL1-fdfasfa" : {...},
  "-L7YNUZPL1-ljljklfd" : {...},
  "-L7YNUZPL1-lkjlkjfas" : {...},
}

And a firebase security rules defined as below 

{
  "rules": {
    "posts": {
      "unverified": {
        ".indexOn": "timestamp",
        ".read": "data.child('uid').val() === auth.uid"

As the rules show, I want to read unverified posts if the users id equal to the uid field in the post data

But every time i use the rules simulator ( or test the with the codes ) with the below configuration, its' giving Simulated read denied error

enter image description here

Thanks for your helps

1
firebasefirebase-realtime-databasefirebase-security
Please edit your post to show the actual JSON (as text, no screenshot) at /posts/unverified. You can get this by clicking the "Export JSON" link in your Firebase Database console.Frank van Puffelen
I just updated the post Frank..Fakhruddin Abdi
That post does not have a uid property with the UID you're testing with. That would indeed make the simulator fail.Frank van Puffelen
It does have a uid exactly with UID im testing with. Its why im asking here. The post im testing has a key -L7xmY2HMeEImDZnZqTf and that post has uid property Fo5f6VonWgQVpsf6u80TPgoi2it2 .. And i test posts/unverified/-L7xmY2HMeEImDZnZqTf path with Fo5f6VonWgQVpsf6u80TPgoi2it2 uidFakhruddin Abdi
Ah wait, I see it now. You're missing a level in your rules. I'll write an example in an answer.Frank van Puffelen

1 Answers

2
votes

Your .read rule is defined on /posts/unverified and checks a child called uid. So the total path is /posts/unverified/uid.

You're trying to read /posts/unverified/-L7xmY2HMeEImDZnZqTf. And the UID value is defined on /posts/unverified/-L7xmY2HMeEImDZnZqTf/uid.

The two paths don't match. You need to add a wildcard in your rules:

{
  "rules": {
    "posts": {
      "unverified": {
        ".indexOn": "timestamp",
        "$postid": {
          ".read": "data.child('uid').val() === auth.uid"