Skip to content

Security rules

Jump to bottom
Orlando Wenzinger edited this page Oct 4, 2017 · 25 revisions

Notice: There will come some built functionality to save the uid in the entry. For now you have to handle it by yourself. This guide shows you just one of many possible ways to do this.

To protect our data from unallowed access or even modification we need to write solid security rules. Now before we dive into it make sure to understand the basic concept of them.

So I would say we are good to go. To begin let's take a look at our data structure.

{
  "events" : {
    "-KvM7BE84diJN5ixyoOG" : {
      "location" : {
        "lat" : 37.743172,
        "lng" : -122.441297
      },
      "uid" : "id",
      "maxPrecision" : 7,
      "minPrecision" : 5,
      "title" : "Travelers Meetup",
      "uid" : 
    }
  },
  "events-geo" : {
    "9q8yt" : {
      "-KvM7BE84diJN5ixyoOG" : {
        "lat" : 37.743172,
        "lng" : -122.441297
      }
    },
    "9q8yty" : {
      "-KvM7BE84diJN5ixyoOG" : {
        "lat" : 37.743172,
        "lng" : -122.441297
      }
    },
    "9q8ytyb" : {
      "-KvM7BE84diJN5ixyoOG" : {
        "lat" : 37.743172,
        "lng" : -122.441297
      }
    }
  }
}

As you can see there are two primary nodes. One is the /events node and the other is the /events-geo node. If this structure looks unfamiliar to you, check out the advanced usage guide. (coming soon)

So the goal is it to make everything readable to everyone, but each event just writable by the user it belongs to. Sounds more complicated than it actually is.

As a first step, we are going to protect the primary nodes. Everyone should be able to read from these nodes, but no one should be able to write. This can be done like this:

{
  "rules" : {
    "events" : {
      ".read" : true,
      ".write" : false
    },
    "events-geo" : {
      ".read" : true,
      ".write" : false
    }
  }
}

As a next step, we need to protect the child nodes. Only the owners of an event should be able to write to them.

{
  "rules" : {
    "events" : {
      ".read" : true,
      ".write" : false,
      "$event_id" : {
        ".read" : true,
        ".write" : "data.child('uid').val() === auth.uid"
      }
    },
    "events-geo" : {
      ".read" : true,
      ".write" : false,
      "$geohash" : {
        ".read" : true,
        ".write" : false,
        "$event_id" : {
          ".read" : true,
          ".write" : "root.child('events').child($event_id).child('uid').val() === auth.uid"
        }
      }
    }
  }
}

To make use of this concept the event must contain the userid. So make sure you add it to the entry before you call the createEntry method of gof.

Clone this wiki locally