Reputation: 1019
Firebase Anonymous Data Security
Firebase realtime DB security from a JS app.
I'm allowing a read permission for all password-auth users. Then, for all other types (only anonymous, per my scheme), I want to allow read for only specific /bundles/.
These are the rules -
{
"rules": {
".read": "auth != null && auth.provider == 'password'", // working!
"bundles": {
"$bundle": {
".read": "data.child('anonymous').val() == true", // not working
}
},
}
}
And /bundles -
"-L-2BbIkAg6J9WPMaJpJ": {
"anonymous": true,
"more_data": "data_1"
},
"-L-UHBr45eEUHGwsPWqq": {
"anonymous": false,
"more_data": "data_2"
}
I expect, when logged-in as anonymous, to see only the first bundle but instead I get an error from FB - "permission_denied at /bundles".
Upvotes: 1
Views: 107
Answers (1)
Reputation: 1862
The .read fails because you're trying to access the /bundles location. If instead you query the specific bundle directly, it will pass:
// read denied
ref.child('bundles').once('value')
// read allowed
ref.child(`bundles/-L-2BbIkAg6J9WPMaJpJ`).once('value')
You won't be able to filter data through Firebase rules, as stated in this section of the Firebase docs. I suggest you update the schema and provide a separate node for your anonymous bundles e.g.:
{
"rules": {
".read": "auth != null && auth.provider == 'password'",
"anonymousBundles": {
".read": "auth != null"
}
}
}
Upvotes: 1
Related Questions
- Firebase Anonymous Authentication
- Firebase database security for new users
- Send data to Firebase anonymously
- Firebase DB data security
- Firebase database security rules to allow anonymous as well as web access
- Firebase security problems / authentication
- firebase security layer and manipulations (javascript)
- Creating/Adding user on Firebase
- Basic understanding of Firebase security
- Firebase JS Secure Authentication