javascript - The Firebase security rules not works -


i have problem firebase rules. have root folder called 'users', containing many usersids again contains data, this:

users {     userid1 {         info_user {             a: {                 a1: whatever                 a2: whatever                        a3: {                     a3.1: whatever                     a3.2: whatever                     a3.3: whatever                     a3.n: whatever                 }             }             n: {} ...         }     },     userid2 {}, ...n }

everything work fine when running following code if there no security rules, such:

{rules {".read"  : true, ".write" : true}}  function getuserinfo () {     var dbref = firebase.database();     var myarray = [];     dbref.ref('users').on('child_added', function(snapshot) {         snapshot.foreach(function(childsnapshot) {             myarray = (childsnapshot.val().a3);             //         });     }); }

my challenge change security rules without change database structure.

so, tried this:

{     "rules" : {         ".read"  : false,         ".write" : false,         "users": {             "$userid": {                 "info_user": {                     "a":{                         ".read": "auth != null",                         ".write": "(root.child('r').child('w').haschild(auth.uid))",                         "a1":{".validate": "newdata.isstring()"},                         "a2":{".validate": "newdata.isstring()"},                         "a3":{".validate": "newdata.isstring()"}                     },                     "n": {                         ".read": "auth != null",                         ".write": "$user_id === auth.uid"                     }                 }             }         }     } }

the expected result read node a3 when user authenticated.

how this?

firebase database read permission enforced when first attach listener. when attach listener dbref.ref('users'), must have read permission /users. in security rules not case.

to make rules work, move read permission `users:

{   "rules" : {     "users": {       ".read"  : "auth != null",       ...

note permission cascades down. once grant user read permission on /users, have access data under /users. cannot take permission away specific node under there.

this leads 1 of pitfalls of securing firebase database: rules cannot used filter data. more on this, see firebase documentation on "rules not filters", answer it , many more of questions developers struggling concept.


Comments

Post a Comment

Popular posts from this blog

Is there a better way to structure post methods in Class Based Views -

i'm using class based views in django , never specify url in ajax calls , omit action parameter in form because know these requests go through post method of class based view. notice view - profile page make many requests depending on user updating on page - post method become convoluted , if/else mess example: def post(self, request, *args, **kwargs): # handle user changing available date if request.post.get('availabledate') != none: self.updateavailabledate(request) return jsonresponse({'result':'success'}) if request.post.get('newprojectname') != none: creative_user = creativeuserprofile.objects.get(id = request.user.id) project = project.create_project(creative_user, request.post['newprojectname']) project.save() return jsonresponse({'projectid': project.id }) if request.post.get('projectimage') != none , request.files['file']: proj...
Read more

performance - Why is XCHG reg, reg a 3 micro-op instruction on modern Intel architectures? -

i'm doing micro-optimization on performance critical part of code , came across sequence of instructions (in at&t syntax): add %rax, %rbx mov %rdx, %rax mov %rbx, %rdx i thought had use case xchg allow me shave instruction , write: add %rbx, %rax xchg %rax, %rdx however, dimay found agner fog's instruction tables , xchg 3 micro-op instruction 2 cycle latency on sandy bridge, ivy bridge, broadwell, haswell , skylake. 3 whole micro-ops , 2 cycles of latency! 3 micro-ops throws off 4-1-1-1 cadence , 2 cycle latency makes worse original in best case since last 2 instructions in original might execute in parallel. now... cpu might breaking instruction micro-ops equivalent to: mov %rax, %tmp mov %rdx, %rax mov %tmp, %rdx where tmp anonymous internal register , suppose last 2 micro-ops run in parallel latency 2 cycles. given register renaming occurs on these micro-architectures, though, doesn't make sense me done way. why wouldn't register renamer ...
Read more

c# - Asp.net web api : redirect unauthorized requst to forbidden page -

im trying redirect unauthorized request forbidden page instead i'm getting forbidden page in response body , how can fix ? here's startup class : app.createperowincontext(storecontext.create); app.createperowincontext<applicationusermanager>(applicationusermanager.create); app.createperowincontext<applicationsigninmanager>(applicationsigninmanager.create); app.usecookieauthentication(new cookieauthenticationoptions { authenticationtype = defaultauthenticationtypes.applicationcookie, expiretimespan = timespan.fromdays(30), }); app.useexternalsignincookie(defaultauthenticationtypes.externalcookie); app.usetwofactorsignincookie(defaultauthenticationtypes.twofactorcookie, timespan.fromminutes(5)); app.usetwofactorrememberbrowsercookie(defaultauthenticationtypes.twofactorrememberbrowsercookie); the method im trying reach : [httpget] [authorize(roles = "admin")] public string getcurrentusername() { return userman...
Read more