Unable to add new 'user' row to Firebase Users collecton using BackFire Collection

Question

I'm using Backfire Collection trying to add a new user row to a custom "Users" collection in Firebase, after the user has registered successfully using FirebaseSimpleLogin.

Here are my security rules:

"users": {
  "$user_id": {
    ".read": "auth.id === $user_id",
    ".write": "(!data.exists() && (newData.child('id').val() + '' === auth.id)) || ($user_id ===  auth.id)"
  }

The security rule should accomplish the following:

1. Allow a newly registered user to create a new 'User' row, so his personal information is stored under the URL "http://myurl.firebase.com/users/1/".

2. A logged-in user can only read his own user row.

3. A logged-in user can only update his own user row.

However, I'm getting permission denied using the following code:

    var FireUsers = Backbone.Firebase.Collection.extend({
      model   : Backbone.Model,
      firebase: new Firebase(FirebaseURL + '/users/')
    }),
    fireUsers = new FireUsers();

    fireUsers.add(newUserObj);

I tried it in the simulator and the only way I'm able to satisfied the above 3 conditions is to set the security rule to "auth != null", which is obviously not ideal.

Any help is appreciated!

-Tony

Answer 1

If a logged-in user can only read their row in the users table, then you cannot create a collection for the entire users collection (since that would mean that everyone could read the users table). Creating a new instance of Backbone.Firebase.Collection for a particular URL will immediately try to download all the data at that URL, which will fail because of the security rules.

I recommend using Backbone.Firebase.Model instead, and creating a new instance for the user, directly at the URL with the user ID included.