newData is invalid in .read expressions

[zach.mc...@gmail.com]

My security rules:

"chats": {

          ".indexOn": ["channel"],

          ".read": "newData.child('when').val() > (now - 3600000)",

          ".write": true

        }

When I try to save I get "newData is invalid in .read expressions" even though the docs at https://www.firebase.com/docs/security/quickstart.html reference newData in .read expressions.

[Jacob Wenger]

Hey Zach,

Looks like you found a bug in our docs! newData is only available for .write and .validate rules. This is because it holds the value of the node if and when the write succeeds. Since there is no write happening for .read rules, newData is not needed and you should just use data. We actually mention this in the API reference for newData. I'm going to comb through our docs and remove any references to newData in .read rules. Thanks for reporting!

Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/d3890f7a-7192-4592-9a27-439fe9ad58c5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[zach.mc...@gmail.com]

Thanks for the update. I'm going to piggyback on this thread with another question related to the rules mentioned in the URL I originally posted. 

I love the example for only allowing reads of messages that are dated within the last 10 minutes, however, the rules provided in that demo seem to show that they only apply when you're retrieving messages one at a time at a URL like /messages/message0. What I don't see is how to only allow read access to all messages that are dated within the last 10 minutes when needing to hit a URL like /messages. If you don't apply a top-level .read to the messages rule, you can't do a generic get on /messages and I can't seem to come up with a rule against messages to have the date restriction.

I tried this rule on messages but no luck: 

"messages": {

  ".read": "data.child('timestamp').val() < (now - 600000)"

}

When I use the simulator, it complains with "Type error: < only operates on numbers and strings."

[Tom Larkworthy]

Hi Zach,

So the security rules don't operate like a filter. So fixing the type error won't actually achieve what you want. To get the old messages out of reach of clients, I think you need another process in a server moving old messages out of the message collection. Its a bit cumbersome and we have plans to improve the situation but for the interim thats the strategy I would recommend.   

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/992d0436-0ef6-4b65-8c70-845e041a3df1%40googlegroups.com.

[zach.mc...@gmail.com]

Ok, I'm fine with that now understanding the difference. I have another question concerning $locations. Given this in your firebase:

messages: {

 message0: {

  timestamp: 1010,

  content: "Hi"

 },

 message1: {

  timestamp: 2000,

  content: "Goodbye"

 }

}

Can you help me understand the dynamic variables in these security rules?

"messages: {

  ".write": //what does 'data' refer to here? the entire collection? if it does, you can't access individual message objects, right?

  "$message": {

     ".write": //what does 'data' refer to here? would this selector only be applied if I was attempting to update a message object? what value does $message have?

  },

  "$messageId": { //btw, what's the difference between $message_id, $messageId, $messageID?

      ".write": //what does 'data' refer to here? would this selector only be applied if I was attempting to update a message object? what value does $messageId have?

[Kato Richardson]

`$message_id` represents a $ variable, which refers most unimaginatively to the id of each message stored under messages/ (e.g. message0 and message1 in your sample data). Since these ids are dynamic, we need a way to refer to each one. If that doesn't clear things up, check out the link.

The data under this is an object (it has child nodes). `$message` is one of the children of `$message_id` in that example and is a string. Thus, it represents the actual message logged to the chat room. In the tree, it is a leaf node (has no child nodes). There is no equivalent in your example data--you probably intended for `comment` to be the actual message? Not sure.

The value of `data` represents whatever data is stored at the current path. That is covered here and here.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5250b121-f828-4bb6-b570-5b43c980d05a%40googlegroups.com.

[zach.mc...@gmail.com]

`$message_id` represents a $ variable, which refers most unimaginatively to the id of each message stored under messages/ (e.g. message0 and message1 in your sample data). Since these ids are dynamic, we need a way to refer to each one. If that doesn't clear things up, check out the link. Again, what's the difference between $messageId, $message_id and $messageID? I've seen all of them used in various tutorials.

The data under this (what is this referring to?) is an object (it has child nodes). `$message` is one of the children of `$message_id` in that example and is a string ($message_id and $message were declared as siblings in my example so this is confusing to me). Thus, it represents the actual message logged to the chat room (Do you mean it's the JSON payload stringified?). In the tree, it is a leaf node (has no child nodes). There is no equivalent in your example data--you probably intended for `comment` (I set 'content' to be the actual message) to be the actual message? Not sure.

[zach.mc...@gmail.com]

I guess I'll switch over to email support.

[Jacob Wenger]

Zach,

Sorry about that. We try to respond as quickly as we can to these questions, but sometimes we get caught up in other things - like building Firebase :) Let me see if I can give you some more answers:

Again, what's the difference between $messageId, $message_id and $messageID? I've seen all of them used in various tutorials.

There really is no difference and that's just us being inconsistent in naming. You could call it $foobarbaz and it would still act the same way. It is simply a Firebase Rules $ variable used as a catchall key name.

What is this referring to?

Kato was referring to the $ variable as this. Since the $ variable is just a key catchall key name, it act likes any other key in your Firebase Rules. That means it can have children nodes. 

$message_id and $message were declared as siblings in my example so this is confusing to me.

This is confusing to me as well and I don't think your initial rules are what you want. You should go for something along these lines:

{

  "messages": {

    "$messageId": {

      "creator": {

        // .read, .write, .validate rules for creator

      },

      "content": {

        // .read, .write, .validate rules for content

      },

      "timestamp": {

        // .read, .write, .validate rules for timestamp

      },

    }

  }

}

You have a /messages/ node which can have any number of message underneath it, as represented by the $messageId variable. The ID of each message will be stored in that variable and is accessible in any descendant's rules. Then, underneath each message, we add rules for different required items (in this case, I just chose a few random items).

I hope my explanations above answer your other questions /  comments as well. If you have not already, I would strongly reading through our entire Security guide for a full walkthrough of how this works.

Jacob

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/c1891456-a623-4c47-af30-75abb0f575e9%40googlegroups.com.