[Firebase Database] Offline Enabled Cache, Security Rules
172 views
Skip to first unread message
Charles Aylward
Feb 12, 2018, 5:22:47 PM2/12/18
to Firebase Google Group
Hi FB Team,
Charles
When offline mode is enabled for the Realtime Database, is the database (up to 10MB) synced regardless of the security rules? or does the offline mode syncing take security rules into account?
i.e.
Rules:
{
"rules": {
"$uid": {
".read" : "auth.uid === $uid"
},
},
}
Data:
{
"123": {
"secret" : "secret data"
},
"456": {
"secret" : "other secret data"
},
}
With offline mode enabled on iOS/Android, will the offline cache for user 456 include the "secret" node for user 123?
Best,
Charles
Kato Richardson
Feb 13, 2018, 2:57:10 PM2/13/18
to Firebase Google Group
Hi Charles,
Not sure exactly what you mean here. Obviously you can't download data from the server if security rules prevent this, regardless of your offline settings. Once it's downloaded, it's local, so there's no effective way to revoke something cached on the client based on server changes (nor would this be effective if Firebase added a capability to try and delete it locally--too easy to cache elsewhere; e.g. a screenshot).
☼, Kato
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/09491b3d-60d8-4c60-84bd-b8eb04523451%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Charles Aylward
Feb 14, 2018, 3:07:56 PM2/14/18
to Firebase Google Group
I think you answered my question...
Reworded for better understanding:
Does the Realtime Database offline mode caching include everything (up to 10MB) or only what is authorized for read access through the security rules?
I know the security rules will prevent an unauthorized observer from receiving a data snapshot at a restricted node. I'm just making sure the security rules will also prevent offline mode caching of the database at the same restricted nodes.
Best,
Charles
Kato Richardson
Feb 14, 2018, 9:42:48 PM2/14/18
to Firebase Google Group
If the data can't be downloaded due to rules it can't be cached locally. If it is locally cached and then the rules change, it may be locally available until the client syncs to the server again and determines it's no longer valid.
☼, Kato
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/6aa556ef-0cd7-4c44-9b85-3baad1a3b043%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Samuel Stern
Feb 15, 2018, 11:04:03 AM2/15/18
to fireba...@googlegroups.com
Hey Charles,
Yes, the security rules apply in all cases. The mobile client library does not have any special ability to go around security rules, so it can only cache what the signed in user is allowed to view.
- Sam
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/6aa556ef-0cd7-4c44-9b85-3baad1a3b043%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages