Security Rule for updating a priority?

27 views
Skip to first unread message

David Notik

unread,
Mar 24, 2015, 6:22:20 PM3/24/15
to fireba...@googlegroups.com
So, I have comments and items. When a comment is added to an item, we update the parent item's updatedDate. I have a .write rule on the item that checks the auth.user against the child("user"), but then a specific rule on updatedDate that lets any authed user update it, so that this works fine. Problem is I also then update the priority, and I get permission denied because AFAIK there's no way to specifically allow setting priorities while keeping the whole of the item under lock with the .write rule.

It seems like a pretty straightforward use case: update the priority (order) of an item once it has some new activity.

I know the newer Firebase stuff introduced indexes and orderBy – I use this on the server side with the REST API, but not client because the library I use (firebase.dart) only recently got some love there and I have to approach it carefully. With indexes, I could in theory just store a updatedDate.millisecondsSinceEpoch and let that be my priority/orderBy. I could move my addComment() to the server to take advantage of that stuff, but I'm checking in to see if I really have to.

Thank you! 

Michael Lehenbauer

unread,
Mar 25, 2015, 3:27:18 PM3/25/15
to fireba...@googlegroups.com
Hey David,

Yeah, unfortunately there's no way to write a security rule that specifically applies to setPriority().  You have to do it at the parent .write rule (where you can use getPriority() to examine the priority) which understandably might not be desirable.

You're right that the recommended approach would be to store the data of interest in a field other than priority (and then use indexes to sort/filter by it).  In general we'd like to move people away from priority going forward in favor of using explicit indexes.

Sorry for the inconvenience!
-Michael

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/cedfa716-46bd-42fb-a43c-9c3bcd13378c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

David Notik

unread,
Mar 25, 2015, 4:20:50 PM3/25/15
to fireba...@googlegroups.com
Got it. Thank you!
Reply all
Reply to author
Forward
0 new messages