Firebase Real-time DB Security Rules

Question

when users are banned from the room, I want to remove these users read & write permission on security rules. Btw: I added the user id into the room for the check this user is banned.

Security Rules;

{
  "rules": {
    "live": {
        "rooms": {
          "$room": {
              ".write": "!$room.child('auth.uid').exists()", // auth.uid from Fb Auth
              ".read": "!$room.child('auth.uid').exists()",
            }
        }
    }
  }
}

Real-time database data

{
  "live" : {
    "rooms" : {
      "1245" : { // room id
        "14Kq4sx2X07FbNhOVBxQcYM3TZ8X53" : -1, // banned user uid from Auth
        "comments" : [ {
          "comment" : "hello",
          "date" : "2020-12-20 20:23:33",
          "uid" : "14Kq4sx2X07FbNhOVBxQcYM3TZ8X53",
          "username" : "name"
        } ]
      }
    }
  }
}

But these rules are not working, when I added auth id into the room but every user can read & write this room

Frank van Puffelen Frank van Puffelen · Accepted Answer · 2020-12-22T15:41:05

You have quotes around 'auth.uid', which means the rules check for that literal string: 'auth.uid'. If you want to check agains the value of auth.uid you should not put it in quotes.

So:

".write": "!data.child(auth.uid).exists()",

Firebase Real-time DB Security Rules

1 Answers