Closed rogerhutchings closed 8 years ago
Change what exactly? I have noticed your votes, but I couldn't overwrite/remove them.
A bug in the code could overwrite votes, however, as it only checks for someone to be logged in, not the owner of the vote. So that should be changed in https://console.firebase.google.com/project/project-6243802502502885389/database/rules so that only the user can edit their own votes
I'm trying to change the rules according to the FB docs (user tab). I've tried this
{
"rules": {
"issues": {
"$uid": {
".read": "true",
".write": "$uid === auth.uid"
}
},
"users": {
"$uid": {
".read": "auth != null",
".write": "$uid === auth.uid"
}
}
}
}
But now I get permission denied every time I vote. Any thoughts?
Well, issues isn't keyed by auth.uid
for one thing
@rogerhutchings how does this look? I changed the rules in the console so users are keyed by Firebase uid variable. The behaviour is as expected.
{
"rules": {
"issues": {
".read": "true",
".write": "auth != null"
},
"users": {
"$uid": {
".read": "auth != null",
".write": "auth != null",
}
}
}
}
A bug could still cause a user to overwrite another user's data, as anyone can read / write to any user as long as they're logged in. The rules were correct before, but I think the problem lies in that nodes under users
are keyed by GitHub ID, not Firebase uid. So if you use the uid Firebase auth provides, this...
{
"rules": {
"issues": {
".read": "true",
".write": "auth != null"
},
"users": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
...should work
Ah that makes sense thanks! Just made a PR.
Currently, anyone logged in can change anything; auth rules should be restricted so users can only change their own votes.
Ref #12