javascript - Enforce user id for a field in Firebase Database using rules -


i want users able add posts using app. need know made each post client uses

this.firebaseapp.database().ref('posts/').push({         userid, text, timestamp:new date()       }); 

technically though, modify client , send value userid, need database rule prevent this.

the example user data on firebase site mentions:

{   "rules": {     "users": {       "$user_id": {         // grants write access owner of user account         // uid must match key ($user_id)         ".write": "$user_id === auth.uid"       }     }   } } 

i think want .write restriction since posts different dataset, don't want use post key, want refer value being passed in.

here's i've tried allows posts written still:

{   "rules": {     ".read": "auth != null",     ".write": "auth != null",     "posts": {       "userid": {         ".write": "newdata.val() === auth.uid"       }     }   } } 

that first code snippet syntactically incorrect. let's assume meant:

this.firebaseapp.database().ref('posts/').push({     userid: userid, text: text, timestamp:new date() }); 

the rules want are:

{   "rules": {     ".read": "auth != null",     "posts": {       "$postid": {         ".write": "newdata.child('userid').val() === auth.uid"       }     }   } } 

the key differences:

  • i removed top-level ".write" rule. permission cascades down: once grant access @ level, cannot take away @ lower level.
  • i added $postid, needed since rule needs apply child noders under /posts. $postid wildcard rule allow that.
  • i ensure have write permission individual post, since doing on userid property not allow user write actual post anymore.

Comments

Popular posts from this blog

Ansible warning on jinja2 braces on when -

Parsing a protocol message from Go by Java -

html - How to custom Bootstrap grid height? -