Questions tagged [firebase-security-rules]

The Firebase security rules combine an expression-based server-side rules language with a flexible client-side authentication system to provide a very flexible security model.

1
vote
0answers
12 views

Firestore security rules - Unique usernames

I am trying to secure the backend for my app and I can't find a solution anywhere. The documentation isn't helping either. I have 2 collections: users and usernames; I want every user to have an ...
0
votes
1answer
20 views

Unable to use the logical OR operator in Firebase Firestore security rules - the condition always evaluates to `false`

I want to allow writes to /companies/{company} if the logged-in user is a manager OR the record doesn't exist. I have the following security rules: service cloud.firestore { match /databases/{...
0
votes
0answers
15 views

Setting Firebase Realtime Database rules with shared access token

I have a firebase Realtime Database where there are 2 collections ("wishlists" and "wishes"). A user will connect to it via an app or a webpage and will login with Firebase Auth. I would like for ...
0
votes
1answer
15 views

Firestore security rules for specific document

I am trying to apply the following situation : all authenticated users have read and write access to the database except for admin document. Admin document is accessible only for him for read and ...
0
votes
1answer
27 views

how to write firebase rules for a specific platform

can I write a firebase rule for a specific platform? e.g. I want this node to be available for all IOS users only(Android can't read/write in it)?
0
votes
0answers
12 views

Denormalizing datastructures and handling security rules?

I have the following scenario: I have an organization that's composed by multiple teams, an employee may belong to one or more teams. Organization managers can edit anything, and team managers can ...
0
votes
0answers
14 views

firestore transaction throws error for update rule which allows only has one specific field

by execution of firestore runTransaction function on the web, it occurs error below. firestore.googleapis.com/v1beta1/projects/myproject/databases/(default)/documents:commit:1 POST https://firestore....
0
votes
0answers
15 views

Variables in hierarchical cloud firestore rule

I have the following rule set in cloud firestore. The structure is: /users/{userId}/years/{year}/**. I want to deny any write to the year document and its subcollections and their documents if that ...
0
votes
0answers
22 views

Firebase rules warning validation [duplicate]

I have a code for my dynamic queries that will return the proper result that I have to use but its display a warning in console and lots of warning is there for every record This is my queries :: ...
0
votes
0answers
16 views

Firestore security rules return true for the condition of updating a field even when it is not being updated

I have a collection, having documents whose fields are created and validated at the time of the creation of the document. I also want to disallow updation of values of some of the fields. I have tried ...
0
votes
0answers
33 views

Allow un-authenticated users to Write but not read any other child

So I 've a application where users are able to write in my database(ONLY during SIGNUP). I want to grant them read/write access to JUST their child node and not my whole database. Currently, an un-...
0
votes
1answer
32 views

Is it secure to call firestore from flutter mobile apps?

I am new to Flutter's framework. I am coding a mobile application that connects to the Firestore. I would like to ask how secure it is to simply code Firestore/Firebase database logic into our Flutter ...
0
votes
1answer
17 views

How to define that only one field is written to a particular node?

example: if a user is an admin and is not a company, I want the roles node to only have admin: true (and I do not want another child with company: false) or if the user is a company, true (not admin: ...
1
vote
0answers
24 views

Cloud firestore security rules are ignored when using the function onSnapshot

My security roles are ignored when using onSnapShot - I'm getting all the documents in the collection and not only the user objects. roles: service cloud.firestore { match /databases/{database}/...
2
votes
2answers
42 views

Firestore Rules multi organization multi user access rights listing data

I am trying to set up a ruleset for a new Firestore project where we have the following root collections: users organisations Under users we have users/userid/ar/organisationid (ar for access ...
-1
votes
1answer
42 views

Firebase Database -Restrict value update to only once per user

I am using Firebase Realtime databse in an android app , the app contains articles and I want to add the Number of views to the articles through all the app users . The database contains a child (...
0
votes
0answers
21 views

Set firebase database rules in vice versa [on hold]

I am new to the firebase so I can not catch anything I've ever learned. Here it is. My data have songs, messages and my users have 2, user and also admin. how do I set rules? I make these rules in my ...
-1
votes
0answers
32 views

When is data actually transferred in Firestore [closed]

I'm trying to decide how to structure permissions for an app. Much of this comes down to the question in the title. Specifically, if I call: const tasks = db.collection('tasks').where('canRead', '...
0
votes
0answers
8 views

Requiring two values in an update

Consider this Bolt type called ChatMessage Path path /chats/{cid}/{mid} is ChatMessage { read() { auth.uid != null } write() { this.uid == auth.uid } } Type type ChatMessage { uid: ...
0
votes
1answer
21 views

vote system firebase security rules

I'm trying to write the rules for this node so only the user who is currently logged in can edit/update it with only the values "-5", "3" or "1" and the rest of the users can only edit/update it with "...
0
votes
0answers
8 views

Firestore security rule with get(<path>).id - id prop not available?

I am attempting to get the key of a document using the Firestore resource property id derived from using get(), like so: get(/databases/$(database)/documents/the/$(path)/is/$(request.resource.data....
0
votes
0answers
20 views

How to use secured firestore rules on android?

I am writing kotlin android application with auth through phone number. I added rules to secure my db from interruption: service cloud.firestore { match /databases/{database}/documents { match ...
0
votes
1answer
43 views

Firebase database access rules by data key

I have Firebase Database data of the following type: { sales: { -Axyz: {shop_id: 1, name: item1}, -BqwW: {shop_id: 2, name: item2}, -Cwer: {shop_id: 1, name: item3} } } I'm ...
0
votes
0answers
13 views

Firestore Security Rule to allow update nested field

I have a document with structure name: "blablabla" members: 123: true 456: true Users can add themselves in members docRef.update(FieldPath.of("members", myUid), true); How do I write a ...
0
votes
0answers
26 views

allow write privilege to user if there permission is set to true in firebase

I have a user node that looks like this: name: "someone" isAdmin: true isDev: true permissions: shots: true Ultimately, I would like to grant anyone who is an admin to read and write to ...
0
votes
0answers
11 views

Nothing is writing to my Firebase databse [duplicate]

When trying to write to my firebase databse, nothing is pushing even though I have followed Firebase's docs line for line and my rules are correct. DatabaseReference user_db = FirebaseDatabase....
0
votes
0answers
9 views

Give cloud function a unique uid? [duplicate]

Is there any way to provide a cloud function with a unique uid so it can be constrained by Realtime Database rules? I was unable to find any information about this via Google and Stack says I need ...
0
votes
1answer
37 views

Are we charged for .validate() reads?

Given path /user-project-enum/{uid}/{pid} Where {pid} is a project identifier and it's value is a string enum. Eg, myuserid project_id1: favorites project_id2: trash project_id3: inbox ...
0
votes
1answer
26 views

How to only allow a specific user to create new users in Firebase?

There are a lot of posts and discussions about restricting read/write access to specific users in the Firebase real-time database. However, I am not able to find a way to restrict the creation of new ...
0
votes
1answer
21 views

validating read access to specified authenticated user

I'm planning to create a realtime database for a chatting apps with private message channel, is there any specific rules that we can check the authenticated user has access to this room? my database ...
0
votes
1answer
33 views

Deleting data on RealTime Database - Firebase

I'm using firebase realtime database and has following rules setup for the database, { "rules": { ".read": "auth !== null", ".write": "auth !== null" } } But when I try to delete an ...
1
vote
0answers
24 views

Firebase security rules using get() in a function outside match rule

I have found that using the get() call in a function outside the match rule does not work, whereas putting it in the match rule does work: service cloud.firestore { // If I put this here, it does ...
0
votes
1answer
22 views

Firebase update fields only when its empty

I have a data set on firebase real time database like this. Users ---Match ------User1 mId:"12345" xId:"" ------User2 mId:"54321" xId:"" Basically ...
0
votes
1answer
48 views

Firestore create document if it doesn't exist security rule

I was trying to write a rule that if the id of the document doesn't exist, then create a new document. My object is: Message message = new Message(userId, title, messageBody, timestamp); and I'm ...
0
votes
1answer
17 views

Pipe character in Firestore rule get() request

I have a pipe character (|) in my user id which seems to work with most Firestore rules and requests. However, when i make a get() request in a rule then it fails. Does anyone have any suggestions to ...
0
votes
0answers
22 views

Firebase Database Rule Base64 Encode [duplicate]

I have database like below: Emails/$uid: [email protected] Users/base64encode([email protected]) name: Test Surname: Test Firebase is sending me "Your Realtime Database has insecure rules" Current my ...
2
votes
1answer
36 views

Firestore; security rule simulation passes but actually fails (uid as map key)

I can't understand why this Firestore security rule fails in web. I'm using @angular/fire latest with a query on a collection and with firebase latest, but it works in simulation. service cloud....
0
votes
0answers
21 views

Firebase Database won't allow a substring of user email

I'm trying to write rules in firebase for an app I am making. The way I have my data structured for my users is like this users -username (a substring of the users email) -all other data ...
-1
votes
1answer
26 views

Firebase realtime database rules are not working [closed]

I have the following firebase setup: - root - v1 - auth - "key1" : "value", - "key2" : "value, - ... - config - announcements I want that everything should have ".write" ...
0
votes
1answer
22 views

Not able to access firebase DB with custom token

For some reason when I test my DB access rules it works well on the firebase simulator. But when I try it on my code it does not work, the value never returns. If I change the rules to allow global ...
0
votes
0answers
22 views

How To Access Document stored in firestore, from Firebase Storage Rules

I want to allow the access to a file stored in firebase storage, only to those customers who are subscribed to service. And the subscription information is stored in the Document of user stored in ...
0
votes
0answers
14 views

Read and write permission rule for admin user and auth user Firebase Database [duplicate]

I'm trying to create an admin user who will have the permission to read and write in the database of all Firebase user data. This is my database structure: { "Users" : { "uid1" : { "name"...
1
vote
2answers
38 views

Firestore Security Rules: Where's hasOnly function?

I see hasOnly function in some Firestore security rules examples, but I can't find it on the Google's official documents. What is hasOnly function? Has it been already deprecated?
0
votes
1answer
26 views

Firebase/Google Cloud Storage file security

I'm trying to figure out the most sensible way to handle file access using Google services. Simplifying the scenario, we have Users (any number) that can authenticate using Google, Facebook, etc, i....
0
votes
1answer
23 views

How to make a composed primary key using cloud firestore in firebase?

I'm new to firebase and I'm trying to use it in a small application. I'm used to work with relational db and it's weired for me the concept of document and collections of firebase because I didn't ...
-1
votes
1answer
37 views

Cloud Firestore Security Rules - access properties in arrays of objects

Is it possible to access document property values contained in arrays of objects? I've been working through the excellent Angular Firebase guide on Security Rules - in which document keys are used to ...
0
votes
0answers
16 views

Firebase realtime database share data with multiple users

For the web app, I have a list of users and mindmaps. Each user should be able to 1. Read/write ONLY their own mind map 2. Share a mind map that they own to another user (read-only) Currently the ...
0
votes
0answers
24 views

Understanding firebase security rules

I have some difficulties to completely understand how the firebase security system is working. My backend is managed with firebase cloud functions. I am not using firebase authentication but i have my ...
0
votes
1answer
20 views

cloud firestore rules timestamp

I have this structure in firestore I need to limit access to data where expirationTimestamp > now I have found this example match /collection/{document} { allow read: if request.time < resource....
0
votes
0answers
17 views

Firestore Security Rules: Allow users to create a document only

I have an app with the following characteristics: Everyone can read the data (public) Admins (authenticated users) have full access (read, write) Users can create invoices Invoices data is not public ...