angularfire - Firebase Security API - Complex Data Structure - How to enforce relationships? -



angularfire - Firebase Security API - Complex Data Structure - How to enforce relationships? -

for past few weeks i've been exploring firebase , features build web app, i've kind of ran wall when comes security rules.

i've build info construction on firebase i'm not sure if follows best practices (if doesn't, sense free suggest different it):

{ "groups" : { <group_key> "name": "", "rels": { "users": { <rels_users_key> "key":"" (user_key) }, "notes": { <rels_notes_key> "key":"" (note_key) } }, "isprivate": true }, "users": { <user_key> "email": "", "rels": { "friends": { <rels_friends_key> "key":"" (user_key) } }, }, "notes": { <note_key> "title": "", "description": "", "rels": { "files": { <rels_files_key> "key":"" (file_key) } } }, "files": { <file_key> "mode": "", "url": "" } }

the application flow follows:

the user signs up: key created on "users"; is redirected "groups" view, he should shown groups have id in rels > users, or has "isprivate":"false"; as user creates group, new grouping added id in rels > users; entering grouping view, should see notes in rels > notes group.

the rest of logic follows same principle, , believe if can through first hurdle of understanding firebase security rules , applying them case, can through rest.

i've tried couple of rules, can't seem feedback @ web application, debugging has been trial-and-error process, , not working.

could help me @ to the lowest degree understanding logic behind ? i've read of tutorials seem shallow no deeper examples on complex structures.

thanks help.

edit

i've added debug:true flag login (thanks @kato), i'm still getting no feedback on rules. rules below, still come in "groups" view, no feedback on console, , logged-in user sees groups shouldn't:

{ "rules": { "groups": { ".read": "data.child('rels').child('users/' + auth.user).exists()", ".write": "data.child('rels').child('users/' + auth.user).exists()" } } }

as rules i've tried, countless, recent 1 (still no feedback).

maybe i'm missing ?

thanks again.

rules cascade. is, if rule allows read, cannot revoke later in nested child. in way, can write rules following:

"$record": { // can write entire record if own ".write": "data.child('owner').val() === auth.uid", "foo": { // in friends list can write foo, not else in $record ".write": "data.parent().child('friends/'+auth.uid).exists()" }, "bar": { // superfluous permissions "granted" , never "revoked" kid ".write": false } }

note how, because owner, can write foo , bar, though bar has tried revoke read privilege.

so in case above, rules declaration lists read: true allows total read access entire repo. alter false , you'll see improve results.

firebase angularfire firebase-security

Comments

Post a Comment

Popular posts from this blog

php - Android app custom user registration and login with cookie using facebook sdk -

php - Android app custom user registration and login with cookie using facebook sdk - i developing android application in users need register , log in using facebook. approximately, flow. open app first time, authenticate facebook, data, send info server create them business relationship in application, start session new business relationship in server, cookie perform later interactions. so far good. what need know wich info have send server, can able identify users when log in seccond time. because need start session in server , send cookie android app farther interactions. i'm using php server side language. i thinking getting getaccesstoken() in android facebook sdk, pass server on business relationship creation , storing in android app. but can't manage how login users on sec time utilize app. any suggestions ? in advance ! to uniquely identify user within app, should create request /me , user's id. guaranteed unique , remain con
Read more

django - Access session in user model .save() -

django - Access session in user model .save() - is possible access current session in user model .save()? pseudo code of want achieve: # users.models.py def save(self, *args, **kwargs): created = true if self.pk: created = false super(abstractuser, self).save(*args, **kwargs) # post-save if created: look_for_invite_in_session_and_register_if_found(self, session) seems wrong in architecture. shouldn't access request in models layer. work request must done in view. can this: user, created = abstractuser.objects.get_or_create(name=name) if created: look_for_invite_in_session_and_register_if_found(user, request.session) django session
Read more

php - .htaccess Multiple Rewrite Rules / Prioritizing -

php - .htaccess Multiple Rewrite Rules / Prioritizing - here current htaccess file: rewriteengine on rewritecond %{http_host} !^www\.website\.com [nc] rewritecond %{http_host} ([^.]+)\.website\.com [nc] rewriterule ^(.*)$ http://www.website.com/gotourl.php?urlid=?%1 [l] rewriterule ^(\w+)$ ./gotourl.php?urlid=$1 [nc,l] rewriterule ^(\w+)/$ ./gotourl.php?urlid=$1 [nc,l] the website in question url shortener i'm working on testing/developing , personal use. above code may not ideal i'm not familiar .htaccess , made via googling , testing. want url shortening aspect: http://website.com/1234 -> http://website.com/gotourl.php?urlid=1234 http://website.com/1234/ -> http://website.com/gotourl.php?urlid=1234 the problem cannot figure out how ignore directories. want specific directories go specific pages: http://website.com/img (or) http://website.com/img/ -> http://website.com/img.php http://website.com/img/1234 (or) http://website.com/
Read more