CODEWITHSUNDEEP
androidfirebasefirebase-realtime-databasefirebase-security
Кирилл Химов
Кирилл Химов

Reputation: 355

Firebase Database - Set rules for users in the database

Now I have these rules

{
    "rules": {
        "users":{
            "$uid":{
                ".write": "$uid == auth.uid",
                ".read": "auth != null && auth.uid == $uid"
                }
        }
    }
}

When authorizing, I write data to the database along this pathenter image description here

Further in the application, I want to display all user emails, but nothing is displayed.

protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_read);

        listView = findViewById(R.id.textView);
        listData = new ArrayList<>();
        adapter = new ArrayAdapter<>(this, android.R.layout.simple_list_item_1, listData);
        listView.setAdapter(adapter);
        mDatabase = FirebaseDatabase.getInstance().getReference();
        mAuth = FirebaseAuth.getInstance();
        getDatafromDB();
    }

    private void getDatafromDB(){
        ValueEventListener valueEventListener = new ValueEventListener() {
            @Override
            public void onDataChange(@NonNull DataSnapshot dataSnapshot) {
                if (listData.size() > 0) listData.clear();
                for (DataSnapshot ds: dataSnapshot.child("users").getChildren()){
                    User user = ds.getValue(User.class);
                    assert user != null;
                    listData.add(user.email);
                }
                adapter.notifyDataSetChanged();
            }

            @Override
            public void onCancelled(@NonNull DatabaseError databaseError) {

            }
        };
        mDatabase.addValueEventListener(valueEventListener);
    }
}

If I write the initial rules,

{
    "rules": {

                ".write": "false",
                ".read": "true"

    }
}

then everything is displayed. Based on this, I conclude that I am setting the rules incorrectly. How to do it right?

Upvotes: 2

Views: 119

Answers (1)

Renaud Tarnec
Renaud Tarnec

Reputation: 83093

By setting your rules as follows:

{
    "rules": {
        "users":{
            "$uid":{
                ".write": "$uid == auth.uid",
                ".read": "auth != null && auth.uid == $uid"
                }
        }
    }
}

a user can only read the database node corresponding to his/her user UID. See the doc for more details.

You don't detail which exact access rights you want to implement (All users can read the entire users node? Only the authenticated users can read the entire users node? etc...) but you need to adapt your rule accordingly.

PS: Also, don't forget that rules are not filters.

Update following your comment

Yes, if you want to check, in your rules that the user has verified he/she has access to the email address you would do ... auth.token.email_verified == true. See this doc for more details.

Upvotes: 1

Related Questions