Firebase Security & Filters

158 views
Skip to first unread message

Tyler Adams

unread,
Dec 25, 2016, 7:10:36 PM12/25/16
to Firebase Google Group
Hi all and Happy Holidays,

I'm currently using Firebase on Android along with the Firebase security rules and I'm confused about the implementation of security rules along with the "filter" queries. I keep seeing "rules are not filters" which makes sense when making a broad query 

e.g.

A data structure with:

users: {
"user1":{
name: "Leeroy"
}, 
"user2":{
name: "Jenkins"
}
}

and security rules with:

"users": {
".read": false,
"$userId": { 
".read": "data.child('name').val() == 'Leeroy'"
}
}


Database allUsersRef = FirebaseDatabase.getInstance().getReference().child("users");
//this would fail
allUsersRef.addValueEventListener(listener);        
 //this would succeed                
allUsersRef.child("user1").addValueEventListener(listener);    

However in my own code USING FILTERS I'm still getting permission errors:

e.g.
Database allUsersRef = FirebaseDatabase.getInstance().getReference().child("users");
allUsersRef.orderByChild("name").equalTo("Leeroy").addValueEventListener(listener);                         //this is failing


Is this the intended functionality? Will I have to add every single object my users could possibly have access to under a common object even with a filtered query?? I couldn't really find examples of these features together.


Thanks,
Tyler


Alan deLespinasse

unread,
Dec 26, 2016, 9:56:21 PM12/26/16
to Firebase Google Group
Yes, that's the intended functionality: you need full read access to a node before you can do a query of its children, even if you're filtering out the ones you're not allowed to read. And yes, it's annoying.

Often you can just make one additional collection to use as an "index". You grant full read access to everyone, and it's a duplicate of the collection you want to query, except you only put in the data fields that you need to be able to query on. Hopefully those are fields that you don't mind all users being able to read. Then you run query on that second collection, and for each item you find, you go and grab the corresponding item from the first collection.

Tyler Adams

unread,
Dec 27, 2016, 4:49:15 PM12/27/16
to Firebase Google Group
Hi Alan,

Yea that is kind of annoying and quite silly tbh. Another layer of complexity will not be a welcome addition to my code but your suggestion sounds like one of the better implementations. I do wish this kind of structure was more verbose in the documentation. Thanks for your help.

- Tyler
Reply all
Reply to author
Forward
0 new messages