jwngr
commented
8 years ago You shouldn't have to give access to the parent node since an update() call is like doing a set() on all the specified children. In fact, if you look at the example security rules, you'll notice that none of them give write access to the root node of the GeoFire index. You may want to look at the "no deletes" security rules example for some inspiration.
If you are still having issues, please share the rules you are using. It's a bit hard to guess what is going wrong without them.
ThadeuLuz
I'm having a security issue with geofire
I have many locations that belong to different users. I wouldn't like to allow users to be able to change or remove the location of all the items for obvious reasons, so I can't grant users write access to the parent (the reference passed to gf), but only to specific children after ownership verification. But the thing is, under the hood, geofire.set uses an update on the parent, so I'm getting 'not allowed' when trying to set a location of a specific child.
Is there a solution for this that I couldn't find myself? If not, I can send a pull request with a simple tweak to the set method to fix that.
Thanks in advance.