Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Firebase Security rule to restrict up to some characters of a string

Tags:

firebase

firebase-security

How to restrict user to save string that is above some limit?

I am getting Invalid property access: target is not an object if try to validate in security rules with length property of a string.

like image 967
Ashok Avatar asked May 11 '13 07:05

Ashok

2 Answers

The Firebase Security Rules now support a length property for strings, as well as several other string methods including replace(), contains(), toUpperCase(), toLowerCase(), etc.

See https://firebase.google.com/docs/reference/security/database/#string_properties for more information.

like image 182
Rob DiMarco Avatar answered Sep 27 '22 21:09

Rob DiMarco

The syntax you can use in rules are detailed here.

Unfortunately, being able to perform string operations (match, length, etc) are not available at this time. SEE ROB'S ANSWER BELOW, THIS FEATURE IS NOW AVAILABLE

I know this is at least on the Firebase radar because I requested a similar feature some time ago.

If you explain the exact details of what you want to solve, it will allow for a much more specific answer; for now I'll give you some general ideas.

Use a privileged app

Monitor Firebase with a privileged application and whenever a value is written to the specific fields you need string validation on, check it manually and delete it if invalid.

Naturally, client validation will take care of all valid use cases. So this is only needed to prevent malicious insertions.

Alternately, you can approach this more as an audit. Just email any invalid strings to some address to be reviewed. Since the client is going to make sure the string is valid before insertion, you are once again just looking at bugs or malicious behaviors.

Delegate writing to an API

Instead of letting the client write privileged data, send it to an API and have the API write that data--making it read only to the client.

Don't worry about it

Do you really need to validate the length? Is it sufficient to simply look and see if it's a string? Is it really a concern that someone would "hack" the contents of a string? Probably not. It could be, but probably not.

And if it is a concern, can it be solved by another avenue? If there is a server involved, just use the process outlined above.

like image 31
Kato Avatar answered Sep 27 '22 22:09

Kato
Sign in to Comment

Related questions

Android: Retrieve data of a specific user from a Firebase database
Android App crashes when OneSignal push notifications are sent
Updating documents in Cloud Firestore based on a query
Firestore query orderBy not working?
Firebase: How do you add a vanity URL to a cloud function?
Firebase + Ionic + Cordova signInWithRedirect redirects to localhost on Android
Firestore empty result count as read? [duplicate]
How to get an Observable for data from Firestore query in Angular 7?
Firebase CLI how to change project scope?firebase init(error:403, The caller does not have permission) uses project url of another account
Firebase short links fallback link
Phone Number with Password Authentication using Firebase
iOS subscriptions server_to_server notifications using firebase
Firestore BatchWrite vs Transactions
How to create document Id for firestore documents using adminSdk in Firebase cloud functions?
How to get, set, update and delete data from the cloud firestore in Flutter?
Angular and firebase route guard using custom claims
How can I use 'firebase login:ci' on a build server
Flutter: Firebase Real-Time database orderByChild has no impact on query result
How to solve FirebaseError: Expected first argument to collection() to be a CollectionReference, a DocumentReference or FirebaseFirestore problem?
No Firebase App has been created - call Firebase.initializeApp()

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!