Rules Output

[Jay]

We are working on rules for our app and need quick hand to decipher the rules output (it's our first go with the simulator)

we have a single firebase user, email + password authentication

user id:  10023

Authenticate as a user

Custom Auth:  { id: 10023, provider: 'password', uid: 'simplelogin:10023' }

data is

-users
  -simplelogin:10023
     email: name@someurl.com

rules are

"rules": {
    ".read": false,
    ".write": false,
   
      "users": {
        "$user_id" : {
          ".read": "auth != null && $user_id === auth.uid",
          ".write": "auth != null && $user_id === auth.uid"
        }
}

output is

Attempt to read /users/simplelogin:10023/email with auth=Success({"id":10023,"provider":"password","uid":"simplelogin:10023"})
     /: "false"
          => false
     /users
     /users/simplelogin:10023: "auth != null && $user_id === auth.uid"
          => true


Read was allowed.

On first glance it appears the simulator is trying to check the rules on the node twice; once with the auth=Success rule, which is false, and once with the auth != null rule, which results in true. What's actually going on here?

as a test, we removed the

    ".read": false,
    ".write": false,

and the output was changed in that the results from the first auth=Success

     /: "false"
          => false

was now just a / which didn't really tell us anything

     /

As a followup, is there any documentation on using the simulator or understanding the output? Googled it and checked the site to no avail - perhaps we just overlooked it.

[Tom Larkworthy]

Only one write needs to evaluate to true for the write to be accepted. You have two write rules so there are two evaluation of security expressions. One at the root write rule, and one at the deeper write rule. 

     /: "false"
          => false

The above is telling you the root write rule "false" has evaluated to false

     /users/simplelogin:10023: "auth != null && $user_id === auth.uid"
          => true

The above is telling you the rule at "/users/simplelogin:10023", which has the expression of "auth != null && $user_id === auth.uid" has evaluated to true. So the write will go through (only one needs to be true).

Attempt to read /users/simplelogin:10023/email with auth=Success({"id":10023,"provider":"password","uid":"simplelogin:10023"})

The above is telling you what the simulator is simulating. A read operation at path /users/simplelogin:10023/email with corresponding auth payload {"id":10023,"provider":"password","uid":"simplelogin:10023"}. The fact it has wrapped the auth payload with Success(...) should be ignored (it didn't used to do that and I think we have a regression in how we display that output)

Tom

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/ba38dfba-9694-4b80-b451-2f737232297c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.