Geek Answers Handbook

Firebase query.equalTo rule always returns "Permission denied" in REST

I am trying to protect my database and my script data is as follows:

receipts: [ { userId: id, ... }, { userId: id, ... }, ... ]

Each receipt has a userId field with information about this creator. I would like to return a list of receipts for a specific user. To do this, I made a REST call that looks like this:

https://[PROJ_NAME].firebaseio.com/receipts.json?orderBy="userId"&equalTo="[USER_ID]"&auth=[TOKEN]

And by all the rules set for opening, it works great. But I would like to protect my database so that other users cannot see all the resources just by changing the URL.

In the firebase documentation, I found this snippet:

 "baskets": { ".read": "auth.uid != null && query.orderByChild == 'owner' && query.equalTo == auth.uid" // restrict basket access to owner of basket }

It seems reasonable, so I applied it to my configuration, but now it always fails. This is what my file looks like:

 { "rules": { "receipts": { ".indexOn": ["userId"], ".read": "auth.uid != null && query.orderByChild == 'userId' && query.equalTo == auth.uid" } } }

Unfortunately, it always returns "error" : "Permission denied" . I lost all day because of this thing :(

Can anybody help me?

+7
rest firebase firebase-database firebase-security
source share
1 answer

firebaser here

Update (2018-01-25): this error has been fixed. Since this was a server-side issue, there is no need to update your SDKs.

.

Original answer below

There is an error in how the server interprets the security rules that query.orderByChild and query.equalTo currently using. We are working on a fix.

To work around the problem at the moment, you can combine query.startAt and query.endAt to get the same result:

  ".read": "auth.uid != null && query.orderByChild == 'userId' && query.startAt == auth.uid && query.endAt == auth.uid"
+3
source share

More articles:


All Articles