Tukk
Tukk

Reputation: 133

Firebase add users but disable any modification

got stuck on this problem: I want to allow user to register on my webpage using firebase, for that reason I planned the following structure:

users : {
    user0 : { //user specific data },
    user1 : { //... }
    ...
}

Everything works fine (writing, reading...) until I change the security rules. I want to change them because I want the users only to register and not to have the power to delete their or potentially other user accounts. But I couldn't find anything very helpful on that. Below is what I'm currently left with:

{
"rules": {
    "users" : {
          ".read": true,
          "$uid" : {            
          ".write": "auth !== null && auth.uid === $uid"
       }
    }
}
}

I'm wondering how to set up the rules such that users can only add new accounts.

I would appreciate any help!

Thaanks :)

Edit: Here's what I wanted to achieve with the rules above, maybe the below example using the simulator will make my point clear.

The first thing, I want to do is, is to let a user register at the /users node. Therefore, I chose the Custom Auth point in the simulator:

{ provider: 'anonymous', uid: '002a448c-30c0-4b87-a16b-f70dfebe3386' }.

Now, if I choose "simulate write" and give the path /users and the following key-value pair:

{ "002a448c-30c0-4b87-a16b-f70dfebe3386": { "1" : {"a" : "b"}}}

I get the below message (see Result_2), which tells me, that I cannot write to /users because there's no write rule allowing it, which I totally understand in the above security rules configuration, but I don't know how to change them such that I am able to write key-value pairs as the above one while still allowing each user to write on there entry only. I.e. the user with the uid: 002a448c-30c0-4b87-a16b-f70dfebe3386 would be allowed to write on the corresponding value with the rules above as long as he is authenticated (see Result_1).

E.g. Custon Auth authenticated user writing ON HIS ENTRY: (WORKS PERFECTLY AS EXPECTED)

{ provider: 'anonymous', uid: '002a448c-30c0-4b87-a16b-f70dfebe3386' }.

As the previous time. Now, "simulate write" on path:

/users/002a448c-30c0-4b87-a16b-f70dfebe3386

Result_1:

Attempt to write {"4":{"name":"fred"}} to /users/002a448c-30c0-4b87-a16b-f70dfebe3386 with auth={"provider":"anonymous","uid":"002a448c-30c0-4b87-a16b-f70dfebe3386"}

/

/users

/users/002a448c-30c0-4b87-a16b-f70dfebe3386:.write: "auth !== null && auth.uid === $uid" => true

Write was allowed.

Result_2: Writing the user onto the /users nodes fails, i.e. no registering is possible. And I want here to be able to add a user to /users but not be able to modify/delete user from /users. See simulator output below.

Attempt to write {"002a448c-30c0-4b87-a16b-f70dfebe3386":{"1":{"a":"b"}}} to /users with auth={"provider":"anonymous","uid":"002a448c-30c0-4b87-a16b-f70dfebe3386"}

/

/users No .write rule allowed the operation.

Write was denied.

Upvotes: 1

Views: 344

Answers (1)

Frank van Puffelen
Frank van Puffelen

Reputation: 600126

Permissions cascades - once you give a user a permission on /users you cannot remove that permission on /users/$uid anymore.

The solution is to only grant permission on the lowest level, so in your case:

{
  "rules": {
    "users" : {
        ".read": true,
        "$uid" : {
          ".write": "auth !== null && auth.uid === $uid"
       }
    }
  }
}

Upvotes: 1

Related Questions