Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Firebase Security & Rules, How can I let users delete their own data?

My data in firebase looks like this, in my web app everyone who accesses it gets authenticated anonymously via firebase, and their UID is stored with every post the user creates:

  "-KF5N2V_dKD1dMHebUqc" : {
    "note" : "Hello everybody",
    "pos" : {
      "lat" : 40.3628851,
      "lng" : -74.0493175
    },
    "time" : 1460395853884,
    "uid" : "f8cf7863-5607-4e2b-97d7-6a121261466c"
  },
  "-KHwyP-tnWNOA3nxzEm4" : {
    "note" : "hi",
    "pos" : {
      "lat" : 37.0947156,
      "lng" : -121.0179501
    },
    "time" : 1463459362615,
    "uid" : "f8cf7863-5607-4e2b-97d7-6a121261466c"
  }

I want my firebase rules setup so that only anonymous users can delete their through own posts.

So far i was only able to come up with this after reading the firebase documentation:

{
    "rules": {
      ".read": "auth != null",
      ".write": "auth != null",
      "$msg": {
        ".validate": "newData.hasChildren(['note','time','uid','pos']) 
          && newData.child('note').isString() && newData.child('time').isNumber() 
          && newData.child('uid').isString() && newData.child('note').isString()
          && newData.child('pos/lat').isNumber() && newData.child('pos/lng').isNumber()"
      }
    }
}
like image 683
user1742835 Avatar asked Sep 06 '25 03:09

user1742835


1 Answers

You'll need to move the .write permission down and tie it to the data:

{
    "rules": {
      ".read": "auth != null",
      "$msg": {
        ".write": "!data.exists() || (!newData.exists() && data.child('uid').val() === auth.uid)"
        ".validate": "..."
      }
    }
}

It's a bit of mix-and-match from these two sections of the Firebase documentation:

  • https://www.firebase.com/docs/security/guide/securing-data.html#section-data-variables

  • https://www.firebase.com/docs/security/guide/user-security.html

like image 141
Frank van Puffelen Avatar answered Sep 07 '25 20:09

Frank van Puffelen