Is it possible to do a database security rule like 'Has ONLY children'?

505 views
Skip to first unread message

boss...@gmail.com

unread,
Sep 30, 2016, 11:02:43 AM9/30/16
to Firebase Google Group

Just want to say first that Firebase is an amazing product for people wanting to push serverless to its potential. Few solutions really compete with Firebase right now when it comes to ease of use and overall momentum.

My questions concerns the Firebase realtime database (frtdb) security. When you create a new data to frtdb, say:

firebase.database().ref('names').push({ name: 'some name'}) 

and you have a rule like this:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null",
    "names": {
      "$new": {
        ".validate": "newData.hasChildren(['name'])"
      }
    }
  }
}

This makes sure that the 'name' attribute of the pushed data exists before it gets written (as well as being auth first).

If I were to do:

firebase.database().ref('names').push({ name: 'some name', others: 'something else' }) 

The previous security rules above would NOT prevent this from being pushed (I just tried this, but correct me if Im wrong).

I was wondering whether it's possible to make sure that ONLY a set group of children (in this case, say, 'name' only, and not another child/column like 'others') will get written (or unpermitted to write)

Without this 'rule' (or a workaround for it), an untrusted client can push unnecessary data and have it be permitted by Firebase rules.

Thanks for reading this, and glad to hear if you have insights or a way to implement this. Keep up the good on Firebase!

Chris Raynor

unread,
Sep 30, 2016, 11:30:12 AM9/30/16
to Firebase Google Group
Hi

It's not directly possible, but you can achieve the same thing with an additional wildcard field with validation set to false.

Here's an example:

{
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null",
    "names": {
      "$new": {
        ".validate": "newData.hasChildren(['name'])",
        // It's important this key exists so it doesn't match the wildcard below.
        "name": {
          // But you'll probably want some additional validation anyway:
          ".validate": "newData.isString()"
        },
        // This matches everything except those specifically mentioned above.
        // We use ".validate" so it's 'AND'ed with parent rules and not 'OR'ed.
        "$other": { ".validate": false }
      }
    }
  }
}

Chris
Engineer @ Firebase

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/300118cb-b9ae-4bd7-926f-341a55188fff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages