Firebase DB rules simulator allow read and write by unauthenticated users
The simulator allows read/write to Posts key, but the results are correct for the Users key rules. Each post under Posts has a uid value representing a user in Users key.
Are my rules wrong or is the simulator wrong? Be gentle, I'm new to Firebase. :)
Two equals:
Redacted Data view:
Try changing your rules to check that a uid child exists. For example:
".read": "data.child('uid').exists() && data.child('uid').val() === auth.uid"
Based on a quick test, I think what is occuring is that when a uid child does not exist, the evaluation of data.child('uid').val() fails and is handled by assigning it a value of false. Similarly, because the user is not authenticated, auth is null and auth.uid also evaluates to false. So your rule effectively becomes ".read": "false === false", which is true.
When I first simulated a read using your rule and I did not have a uid child in my database under /posts/1, the read was granted, as you reported. When I added a uid child, it was not granted.
- Firebase Functions "cannot determine backend specification"
- Error "The term 'flutterfire' is not recognized as the name of a cmdlet, function, script file, or operable program"
- Firebase login throws Error: spawn cmd ENOENT in NodeJS
- Is it secure to use an .env file to store API keys in Firebase Cloud Functions instead of Google Secret Manager?
- java.lang.IllegalAccessError: superclass access check failed: class org.jetbrains.kotlin.kapt3.base.javac.KaptJavaCompiler?
- Flutter Web not building because of Firebase Analytics and Firebase Remote Config
- How to upload dsyms files which developed with Flutter?
- CORS on firebase storage
- Swift pods cannot yet be integrated as static libraries FirebaseCoreInternal-library
- web - readAsBytes throws Unsupported operation: _Namespace
- Firebase deployed react app not working. Uncaught SyntaxError: Unexpected token '<'
- Read data from Firebase created by loggedin user - Flutter
- Module '"@angular/fire/messaging"' has no exported member 'AngularFireMessaging'.ts(2305)
- firebase.auth().useEmulator() takes a non-empty string URL
- Calling for specific field inside document by using query in firestore using reactJs
- Firebase Firestore client cannot be deployed
- Firebase Function v2 Cors blocked
- Firebase Cloud Function: & Flutter: Cannot use https callable function on emulators [firebase_functions/unavailable] UNAVAILABLE
- Can't upload files to firebase cloud storage. Error: "No objects exists with the desired reference"
- Which service account is used when running Firebase Cloud Functions?
- Search by pattern on Cloud Firestore collection
- Is there a way to have a collection directly under another collection in Firestore Database?
- firebase deploy --only functions overrides existing functions
- How to Use the Vertex API With Long Text Prompts
- Can't init firebase cloud storage due to cloud resource location
- Firestore iOS: caching offline writes only
- Is there a workaround for the Firebase Query "IN" Limit to 10?
- Firestore saves data locally on device but does not push to Firebase Console
- How can i prevent from Login component render when Firebase Authentication hasn't yet determined
- Firebase Error: Auth error from APNS or Web Push Service