CODEWITHSUNDEEP
firebasefirebase-realtime-databasefirebase-security
Pritesh Kumar
Pritesh Kumar

Reputation: 11

Firebase Rules: We've detected the following issue(s) with your security rules

appreciate this looks like this is been answered various times for individual requirements. Completely new to Firebase and I want to get some insight into this. I have been presented with the message from Firebase.

We've detected the following issue(s) with your security rules: any logged-in user can read your entire database any logged-in user can write to your entire database

My current rules look like this:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null",
    "items": {
        ".indexOn": "ownerId"
    },
    "events": {
        ".indexOn": "ownerId"
    },
    "contacts": {
        ".indexOn": "ownerId"
    }
  }
}

Based on the documentation, Do I simply need to do this?

 {
  "rules": {
    ".read":   "auth != null && auth.uid == $uid"
    ".write":  "$user_id === auth.uid",
    "items": {
        ".indexOn": "ownerId"
    },
    "events": {
        ".indexOn": "ownerId"
    },
    "contacts": {
        ".indexOn": "ownerId"
    }
  }
}

Will users still be able to access their own (previously) written data prior to making the change while enforcing the security rules from Firebase.

Apologies if this a silly question, but got a lot of data which I cannot let users not have access to.

Thanks

Upvotes: 1

Views: 412

Answers (1)

elopezp
elopezp

Reputation: 627

As firebase documentation says:

Sometimes, Rules check that a user is logged in, but don't further restrict access based on that authentication. If one of your rules includes auth != null, confirm that you want any logged-in user to have access to the data.

So you have to get rid of this part down under the rules part:

".read": "auth != null",
".write": "auth != null",

And use any of these approaches: Content owner only, Path-delineated access or Mixed public and private access. For example:

 {
  "rules": {
    "products": {
      "$uid": {
        ".read": "auth != null && auth.uid == $uid",
            ".write": "auth != null && auth.uid == $uid",
        ".indexOn": ["creatorId", "isActive"]
      }
     },
    "stores": {
      "$uid": {
        ".read": "auth != null && auth.uid == $uid",
            ".write": "auth != null && auth.uid == $uid",
        ".indexOn": ["creatorId", "isActive"]
        }
      },
    "orders": {
      "$uid": {
        ".read": "auth != null && auth.uid == $uid",
            ".write": "auth != null && auth.uid == $uid",
      }
     },
    }
   }

Upvotes: 0

Related Questions