I am having trouble writing rules in Firebase Realtime Database that accomplish what I want.
My database is structured like so:
{
"tokens": {
"-LWzK8PLDtDQhiTp_Els": {
"token": "exampleToken",
"uid": "c5vrppXCwbeo22hFCSlW3CBq5el1"
},
...
}
}
{
"rules": {
"tokens": {
".indexOn": ["uid", "token"],
".read": "auth != null",
".write": "auth != null",
"$token": {
".validate": "newData.hasChildren(['uid', 'token']) && newData.child('uid').val() == auth.uid"
}
}
}
}
I want users to be able to (1) read existing child nodes in token where token.uid == auth.uid & (2) write new child nodes to token, but (3) not read the entire token node.
At the moment, the provided rules allow any authenticated user to read and write individual nodes in token as well as the entire token node, which is insecure since sensitive data may be in the other child nodes within token that any given user shouldn't be able to access. Everything that I try is either too liberal or too strict and I can't figure out the perfect middle ground.
Aucun commentaire:
Enregistrer un commentaire