For firebase rules, why does permission get denied at uid level?

0
votes

I got this error in the console

[Firebase/Database][I-RDB038012] Listener at /people/cQEVsQGXS3VJQzPBU4nL1HLx0Kq2 failed: permission_denied

Here are my rules below. I have an idea that the error might be at uid, because of the console message that I got, but I am not sure. I used the firebase documentation to try to figure out how to write the rules.

{
"rules": {
  "people" : {
    "$uid":  {
      "Education" :{
         ".read": "auth.uid != null" 
        ,".write": "$uid == auth.uid"
      }
      ,"Coordinates" : {
         ".read": "auth.uid != null",
        ".write": "$uid == auth.uid"
      }  
      ,"ForReUpload": {
         ".read": "auth.uid != null",
        ".write": "$uid == auth.uid"
      }
      ,"PhotoPosts": {
         ".read": "auth.uid != null",
        ".write": "$uid == auth.uid"
      }
        
      ,"WhatIamConsideringBuying":  { 
         ".read": "auth.uid != null",
        ".write": "$uid == auth.uid"
      }
      ,"caption": {
        ".read": "auth.uid != null",
        ".write": "$uid == auth.uid"
      }
      ,"peopleWhoLike" : {
        ".read": "$uid == auth.uid",
        ".write": "auth.uid != null"
      }
      ,"peopleWhoLike2" : {
         ".read": "auth.uid != null",
        ".write": "auth.uid != null"
      }
     
      ,"postID" : { 
         ".read": "auth.uid != null",
        ".write": "$uid == auth.uid"
      }
      ,"users" : {     
         ".read": "$uid == auth.uid",
       ".write": "$uid == auth.uid"  
      }
    }
  }
  }
}

Here is a JSON of my db:

"people" : {
"1ZWT7FAE2qThNQfBj7tbMO7BnMo1" : {
  "Coordinates" : {
    "latitude" : 50.054738,
    "longitude" : 8.226809826085624
  "peopleWhoLike2" : {
    "1vLVFwrXrHUoakmDrnQKwbv08Yj1" : 1581548952597,
    "F9NX0UCG4fVHCKFk2VZ1NZKsLro2" : 1586210112155,
    "IrrBgFY9C1ekMmHUkQRzc5LhbDu1" : 1581547417432,

Triggering query:

    let thisUsersUid = Auth.auth().currentUser?.uid //Mr. Dunn's uid
    
    refArtists = Database.database().reference().child("people");
    
    refArtists.observe(DataEventType.value,  with: {snapshot in
        
        if snapshot.childrenCount>0{
            
            self.people.removeAll()
            
            for people in snapshot.children.allObjects as! [DataSnapshot] {
                
                    if people.key != thisUsersUid {
                        print("peoplekey",people.key)
                        

               
                    let peopleObject = people.value as? [String: AnyObject]
                    let peopleEducation = peopleObject?["Education"] as? String
                      let locCoord = CLLocation(latitude: lat, longitude: lon)
                      let distance = locCoord.distance(from: self.dict)
                            print(distance, "distancexy")




....
   self.people.append(peopl)
  .....

   self.people.sort { ($0.distance ?? 0) < ($1.distance ?? 0) }

           print("aaaaaaaa", self.people.map {$0.distance})
                
           self.table.reloadData()

            }
        }
1
swiftfirebasefirebase-realtime-databasefirebase-security
Please edit the question to show the query that's failing, and what you expect it to do instead. It should be clear how your query matches your rule.Doug Stevenson

1 Answers

0
votes

You're trying to read from /people/cQEVsQGXS3VJQzPBU4nL1HLx0Kq2, but your rules don't grant anyone read access to that path.

I think you're looking for these much simpler rules:

{
  "rules": {
    "people" : {
      "$uid":  {
        ".read": "auth.uid != null",
        ".write": "$uid == auth.uid"
      }
    }
  }
}

If you want to allow only certain child node, you'd typically use validation rules for that. Something like:

{
  "rules": {
    "people" : {
      "$uid":  {
        ".read": "auth.uid != null",
        ".write": "$uid == auth.uid",
        "Education" :{ ".validate": true },
        "Coordinates" : { ".validate": true },
        "ForReUpload": { ".validate": true },
        "PhotoPosts": { ".validate": true },
        "WhatIamConsideringBuying":  { ".validate": true },
        "caption": { ".validate": true },
        "peopleWhoLike" : { ".validate": true },
        "peopleWhoLike2" : { ".validate": true },     
        "postID" : { ".validate": true },
        "users" : { ".validate": true },
        "$other" : { ".validate": false },
      }
    }
  }
}

The above allows all the named child nodes, but rejects all others (thanks to the $other rule).