rules issue with changing value used by rule (permission denied) - data vs newData

47 views
Skip to first unread message

spo...@gmail.com

unread,
May 4, 2016, 12:36:35 AM5/4/16
to Firebase + EmberJS
Hi,

I'm having a problem with security rules where I want to restrict `write` on a template to the owning user, but I also want to allow that `user` to "re-assign" the template  to another user (change the template user from their UID to another users UID).  So, the desired behavior is that once the owning user has "re-assigned" the template to another user, only the new owning user can make updates (`write`) to the template.

In the ember model, the template belongsTo a user.

So, my rules should allow `write` under the following conditions:

 - IF authenticated and user is creating a new template and the template user is the currently authenticated user OR
 - IF authenticated and user is updating an existing template and the existing template user is the currently authenticated user

Here is the relevant section of my `rules.json` file:

"templates": {
  ".read": "auth !== null",

  "$template_id": {
    ".write": "auth !== null && ((!data.exists() && newData.child('user').val() == auth.uid) || (data.exists() && data.child('user').val() == auth.uid))",
    ".validate": "newData.hasChildren(['user', 'createdAt', 'updatedAt'])"
  },
},

The rules above correctly allow a user to create and delete a template they have created, but it fails with "permission denied" when the user who owns the template tries to change the 'user' to a different user.

In reading the security docs, my interpretation is that `data` should be the value *before* it is changed, thus `data.child('user').val()` *should* match the current user and allow it to change.

It seems like this should work, but it doesn't :(  Is what I'm trying to do possible?  

Thanks for any assistance!


Tim Stirrat

unread,
May 4, 2016, 1:11:19 AM5/4/16
to spo...@gmail.com, Firebase + EmberJS
Hey,

I recreated your data and rules in the simulator and got it working as expected.

I did run into an issue while setting it up: my template.user field was initially set to be numeric, while the auth.uid is a string. This caused the rule to fail even though it looked like it "should have" worked. After I converted my template.user fields to strings the rules seemed to act in the way you desire.

Check if you are running into the same problem with the types in your template.user field.

I hope this gives you something to work with!

Thanks,

Tim

--
You received this message because you are subscribed to the Google Groups "Firebase + EmberJS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-embe...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Tim Stirrat

unread,
May 4, 2016, 1:13:08 AM5/4/16
to spo...@gmail.com, Firebase + EmberJS
As a side note, to debug the issue, I reduced the write rule to this:

".write": "data.child('user').val() == auth.uid"

When I noticed this was not working as expected, I started to play around with the data to figure out what I was missing.

Cheers,

Tim
Reply all
Reply to author
Forward
0 new messages