•  02-10-2022
  •  | 
  •  

Pregunta

I'm new to Firebase and really struggling with the security rules.

I'm trying to store data for anonymous user sessions that can only be accessed by that user but as soon as I tighten up the security rules I get permission denied and can't work out why.

The structure I have is:

/userSessions/$user/user_id

The application pushes to user sessions and writes the user_id as returned by the anonymous login.

I have the following security rules:

{
  "rules": {
    ".read": true,
    "userSessions": {
      "$user": {
        ".write": "newData.child('user_id').val() == auth.id",
        "user_id": {
          ".validate": "newData.isString()"
        }
      }
    }
  }
}

I'm sure I'm doing something silly, but can't work out how to use the security simulator either so don't know how to go about troubleshooting this

Any help greatly appreciated

EDIT - Problem occurs when trying to create a new entry under userSessions after authenticating anonymously.

Code:

var userSessionsRef = new Firebase('https://xxxxxx.firebaseio.com/userSessions');
var userSession;
var auth = new FirebaseSimpleLogin( userSessionsRef, function(error,user) {
    if (error) {
        console.log(error);
    } else if (user) {
        userSessionsRef.child(user.id).set({
            user_id: user.id,
            provider: user.provider,
            created: Firebase.ServerValue.TIMESTAMP
            });
    userSession = new Firebase('https://xxxxx.firebaseio.com/userSessions/'+user.id);
    userSession.onDisconnect().remove();
}
¿Fue útil?

Solución

The set() operation you've provided runs great; no errors; there must be another issue at play here that you haven't captured in your repro (did you enable anonymous auth in Forge?). Here's a fiddle running on your security rules, copied line-for-line (just moved down one child path): http://jsfiddle.net/katowulf/wxn5J/

On a related note, your current security rules will not allow the userSession.onDisconnect().remove(); op, since records can only be written if newData() contains a user_id value (i.e. it can't be null). A better way to structure these security rules would be as follows:

{
  "rules": {
    ".read": true,
    "userSessions": {
      "$user": {
        ".write": "$user === auth.id", // delete allowed
        "user_id": {
          ".validate": "newData.isString() && newData.val() === $user"
        }
      }
    }
  }
}
Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top