kavidey
commented
4 years ago This is our current ruleset:
{
"rules": {
".read": true,
".write": "auth != null",
"users" : {
"$user_id" : {
".write": "$user_id === auth.uid"
}
}
}
}It allows anyone to read anything and anyone who is authenticated in any way to write to anywhere under /users. The check that allows anyone who is authenticated to write (".write": "auth != null") overrides the check that the user is only writing to their user id under data.
I think it would make sense to change it to something like this:
{
"rules": {
"users" : {
"$user_id" : {
".write": "$user_id === auth.uid",
".read": "$user_id === auth.uid"
}
}
}
}That would allow users to only read and write to data under their user idea /users/<uid>/..., but not everyone else's data
I can update my data download script to have admin privileges so that it can still read all of the data it needs.
Look into security rules on Firebase