Firebase Realtime Database Security Rules protect user datas

0
votes

i'm working on a project which i would like to run on the firebase realtime database. I created a database setup with this format:

   {
  "Horses" : {
    "description" : "",
    "id" : "",
    "name" : "",
    "uid" : "testx"
  },
  "images" : {
    "full_path" : "",
    "horse_id" : "",
    "id" : "",
    "thumbnail_path" : "",
    "uid" : ""
  },
  "videos" : {
    "full_path" : "",
    "horse_id" : "",
    "id" : "",
    "thumbnail_path" : "",
    "type" : "",
    "uid" : ""
  }
}

My security Rules looks like this:

    {

  "rules": {
    "Horses":{
      ".read": true,
        ".write": false,

        "$uid":{
            ".read": true,
                ".write": "$uid == auth.uid"
        }

    },
    "videos":{
      ".read": true,
        ".write": false,

        "$uid":{
            ".read": true,
                ".write": "$uid == auth.uid"
        }

    },
    "images":{
      ".read": true,

        "$uid":{
            ".read": true,
                ".write": "$uid == auth.uid"
        }

    },
  }

}

I'm trying to archive that every everyone can read details in "horses", "images" and "videos" but only authenticated users to add entrys to "Horses","images" and "videos" if they belong to themself (checked by userid provided by firebase auth).

My first question is: should i include "images" and "videos" as a child object from "Horses" ? It would be better if i can write one write and read rule for Horse once and it will cascade to the others.

My second question is: im not able to write a set to a Horse or Image even if the authentication is set to the same uid as my writed data has. It seems like i have to send my requests to horses/[UID-HERE] for example. How can i write the rule that it archives my described behavior ? enter image description here

Thanks for helping!

1
firebasefirebase-realtime-databasefirebase-authentication
Didn't you miss a key under each node in your example ? - Emerica

1 Answers

2
votes

First: Nesting videos and images within Horses depends on your usage. You nest such values when their is relevance for example:

A post on a social networking site will have this structure:

siteData:{
postid:{
   postTitle: value,
   videos : {
    "full_path" : "",
    "horse_id" : "",
    "id" : "",
    "thumbnail_path" : "",
    "type" : "",
    "uid" : ""
  },
    "images" : {
    "full_path" : "",
    "horse_id" : "",
    "id" : "",
    "thumbnail_path" : "",
    "uid" : ""
  }
}
}

Here we have nested them because they are directly relevant to the post.

Another scenario would be when we just want to store all the images and videos on the site, then the structure would be:

  siteData:{
  "images" : {
    "full_path" : "",
    "horse_id" : "",
    "id" : "",
    "thumbnail_path" : "",
    "uid" : ""
  },
  "videos" : {
    "full_path" : "",
    "horse_id" : "",
    "id" : "",
    "thumbnail_path" : "",
    "uid" : ""
  },
  posts:{
  somePostId:{}
  }
  }

Here you see that videos and images are not nested in posts.

Second:

Checking for userId:

"images":{
  ".read": true,
  "$uid": {
      ".read": true,
      ".write": "auth.uid == $uid"
       }
    }

Basically, data here will refer to the data at that reference addressed by the rule.

You may want to check this out : https://gist.github.com/codediodeio/6dbce1305b9556c2136492522e2100f6