Menu
I'm trying to get my database secure and my scenario data looks like:
receipts: [
{
userId: id,
...
},
{
userId: id,
...
},
...
]
Each receipt has userId field with information about it's creator. I would like to return list of receipts for specific user. For that I've made REST call which looks like this:
https://[PROJ_NAME].firebaseio.com/receipts.json?orderBy="userId"&equalTo="[USER_ID]"&auth=[TOKEN]
And on all rules set to open it works great. But I would like to protect my database so other users cannot see all resources just by changing URL.
On firebase documentation I've found such snippet:
"baskets": {
".read": "auth.uid != null &&
query.orderByChild == 'owner' &&
query.equalTo == auth.uid" // restrict basket access to owner of basket
}
It seems reasonable so I applyed it to my configuration but now it always fails. This is how my file looks like:
{
"rules": {
"receipts": {
".indexOn": ["userId"],
".read": "auth.uid != null &&
query.orderByChild == 'userId' &&
query.equalTo == auth.uid"
}
}
}
Unfortunately it always returns "error" : "Permission denied". I've lost whole day because of that thing :(
Can anyone help me pls?
849
firebaser here
Update (2018-01-25): This bug has now been fixed. Since this was a server-side issue, there is no need to update your SDKs.
.
Original answer below
There is a bug in the way the server interprets security rules that use query.orderByChild and query.equalTo at the moment. We're working on a fix.
To work around the problem for now, you can combine query.startAt and query.endAt to get the same result:
".read": "auth.uid != null &&
query.orderByChild == 'userId' &&
query.startAt == auth.uid &&
query.endAt == auth.uid"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
