vote system firebase security rules

Question

I'm trying to write the rules for this node so only the user who is currently logged in can edit/update it with only the values "-5", "3" or "1" and the rest of the users can only edit/update it with "-3" or "3"

The data structure I have is:

/users/$uid/votes

the rules I have as of now are:

{
 "rules": {
   "users": {
    "$uid": {
      ".read": true,
      ".write": "auth.uid === $uid",
      "votes": {
        ".validate": "auth.uid === $uid && newData.isNumber() && (newData.val() === -5 || newData.val() === 3 || newData.val() === 1) || auth.uid !== $uid &&newData.isNumber() && (newData.val() === -3 || newData.val() === 3)"
        } 
      }
    }
  }
}

is there any way to improve these rules? does "auth.uid !== $uid" make sure that the user that's not currently logged in can only update the values of this "votes" node by -3 or 3?

Frank van Puffelen Frank van Puffelen · Accepted Answer · 2018-09-22T22:35:11

This is a slightly more readable way to accomplish the same (to me at least):

".validate": "(newData.isNumber() && (
  newData.val() === 3 /* Everyone can set to 3 */
  || (auth.uid === $uid && newData.val() === -5 || newData.val() === 1) ||       
  || (auth.uid !== $uid && newData.val() === -3)
)

But the rules let every authentication user write to the location for $uid, which seems odd. Are you sure you want just any user wrote to this user's votes?

If might be easier to help if you show the JSON you want to create, and the code for a write operation you want to allow (and disallow).

vote system firebase security rules

1 Answers