CODEWITHSUNDEEP
javascriptjsonfirebasefirebase-securityfirebase-realtime-database
POPOEVER
POPOEVER

Reputation: 33

How to set security rules to prevent delete data in firebase?

My firebase structure likes:

"ROOT": {
  "Group": {
    "User": {
      "Name": "",
      "Email": "",
      "Gender": "",
      "Mobile": "",
      "Time": ""
    }
  }
}

My question is, how can I prevent user from running ref.remove() directly from client browser inspector which will delete all data without any prompt?

I want to allow client script to run firebase operations like

  1. add/update data to /ROOT/, I mean, adding more "Group" child node, like Group2, Group3..., but can't delete this node.
  2. and add data under /ROOT/Group/, as well as update and delete

How to setup the security rules? Thanks.

Upvotes: 3

Views: 3072

Answers (2)

mckoss
mckoss

Reputation: 7014

Some other helpful Bolt functions you can use:

path /create { write() { create(this) } }                                                                                                                                         
path /update { write() { update(this) } }                                                                                                                                         
path /delete { write() { delete(this) } }                                                                                                                                         
path /create-or-update { write() { create(this) || update(this) }}                                                                                                                

create(ref) { prior(ref) == null }                                                                                                                                                
update(ref) { prior(ref) != null && ref != null }                                                                                                                                 
delete(ref) { prior(ref) != null && ref == null }

See this sample file and it's tests.

Upvotes: 3

David East
David East

Reputation: 32604

Check out Bolt!

Bolt is a schema validation tool for Firebase.

So you could define your Group and User schema and then write rules to make sure no one who isn't authorized can delete it.

type User {
 Name: String;
 Email: String;
 Gender: String;
 Mobile: String;
 Time: Number;
}

path /group/$groupid {
  read() = true;
  write() = this != null; // don't delete existing data
}

path /group/$groupid/user/$uid is User {
  read() = true;
  write() = this != null; // don't delete existing data
}

Now you just need to generate the security rules from the command-line, or upload them using the Firebase CLI. Bolt doesn't have support in the dashboard just yet. You can also copy and paste the generated rules into the dashboard if needed as well.

Upvotes: 6

Related Questions