My firebase structure likes:
"ROOT": {
"Group": {
"User": {
"Name": "",
"Email": "",
"Gender": "",
"Mobile": "",
"Time": ""
}
}
}
My question is, how can I prevent user from running ref.remove() directly from client browser inspector which will delete all data without any prompt?
I want to allow client script to run firebase operations like
- add/update data to /ROOT/, I mean, adding more "Group" child node, like Group2, Group3..., but can't delete this node.
- and add data under /ROOT/Group/, as well as update and delete
How to setup the security rules? Thanks.
My firebase structure likes:
"ROOT": {
"Group": {
"User": {
"Name": "",
"Email": "",
"Gender": "",
"Mobile": "",
"Time": ""
}
}
}
My question is, how can I prevent user from running ref.remove() directly from client browser inspector which will delete all data without any prompt?
I want to allow client script to run firebase operations like
- add/update data to /ROOT/, I mean, adding more "Group" child node, like Group2, Group3..., but can't delete this node.
- and add data under /ROOT/Group/, as well as update and delete
How to setup the security rules? Thanks.
Share Improve this question edited May 15, 2016 at 2:21 Frank van Puffelen 601k85 gold badges890 silver badges860 bronze badges asked Nov 23, 2015 at 14:21 POPOEVERPOPOEVER 331 silver badge5 bronze badges 2- @Shilly, I doesn't matter if the ref is in the browser scope. Anyone can create a Firebase ref and call remove. You could also just send an HTTP delete request to root. You need to have server side security. – David East Commented Nov 23, 2015 at 15:25
- Ok then, thanks for the explanation. (post-delete :) ) – Shilly Commented Nov 23, 2015 at 15:26
2 Answers
Reset to default 6Check out Bolt!
Bolt is a schema validation tool for Firebase.
So you could define your Group and User schema and then write rules to make sure no one who isn't authorized can delete it.
type User {
Name: String;
Email: String;
Gender: String;
Mobile: String;
Time: Number;
}
path /group/$groupid {
read() = true;
write() = this != null; // don't delete existing data
}
path /group/$groupid/user/$uid is User {
read() = true;
write() = this != null; // don't delete existing data
}
Now you just need to generate the security rules from the mand-line, or upload them using the Firebase CLI. Bolt doesn't have support in the dashboard just yet. You can also copy and paste the generated rules into the dashboard if needed as well.
Some other helpful Bolt functions you can use:
path /create { write() { create(this) } }
path /update { write() { update(this) } }
path /delete { write() { delete(this) } }
path /create-or-update { write() { create(this) || update(this) }}
create(ref) { prior(ref) == null }
update(ref) { prior(ref) != null && ref != null }
delete(ref) { prior(ref) != null && ref == null }
See this sample file and it's tests.