Pregunta
I'm stuck on the Firebase security rules. I don't understand how it maps the "url" into the $variable.
How are these two mapped?
https://stackoverflow.com/questions/21654576
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian"$user": {
".read": "$user == 42" // where does this $user get its value from?
}
Given this rule set:
{
"rules": {
"users": {
"$provider": {
"$user": {
".read": "$user == auth.id",
".write": "$user == auth.id",
}
}
}
}
}
Does not work:
Attempt to read /users/twitter/169508069 with auth={"id":169508069}
/
/users
/users/twitter
/users/twitter/169508069: "$user == auth.id"
=> false
No .read rule allowed the operation.
Read was denied.
Works: (changed rule to the fixed user id)
Attempt to read /users/twitter/169508069 with auth={"id":169508069}
/
/users
/users/twitter
/users/twitter/169508069: "169508069 == auth.id"
=> true
Read was allowed.
Based on the documentation of $location variables, it looks to me like I have the mapping from $user to ".read": "$user == auth.id" correct, but I must be missing something.
Solución
Whoah! So the actual problem is that I registered the rule for auth.id in the simulator as 169508069, the integer. $user has the value of "169508069", the string. When I manually set the value to compare against (an integer), of course it works.
Pretty tricky to track down.
Suggestion for the Firebase folks: print the computed value of the $variable in the security simulator output to help isolate security issues.
For others, just a heads up to be wary of data types.
