Firebase DB rules simulator allow read and write by unauthenticated users
The simulator allows read/write to Posts key, but the results are correct for the Users key rules. Each post under Posts has a uid value representing a user in Users key.
Are my rules wrong or is the simulator wrong? Be gentle, I'm new to Firebase. :)
Two equals:
Redacted Data view:
Try changing your rules to check that a uid child exists. For example:
".read": "data.child('uid').exists() && data.child('uid').val() === auth.uid"
Based on a quick test, I think what is occuring is that when a uid child does not exist, the evaluation of data.child('uid').val() fails and is handled by assigning it a value of false. Similarly, because the user is not authenticated, auth is null and auth.uid also evaluates to false. So your rule effectively becomes ".read": "false === false", which is true.
When I first simulated a read using your rule and I did not have a uid child in my database under /posts/1, the read was granted, as you reported. When I added a uid child, it was not granted.
- updating firestore document multiple times from event trigger function overwrites or stops updating after few triggers
- How to reconcile Firebase Auth token refreshing with Server-Side Rendering
- Firebase Firestore: Accessing Never-Retrieved Data Offline
- How to delete a created firestore database.?
- Firebase throws "Given sign-in provider is disabled for this project" error when I try to sign up user via app but able to add user via console
- Firebase deploy failed even without changing the function from onCallable to onRequest
- Firebase App Check error in Flutter's Android Release Builds
- FirebaseCommandException: An error occured on the Firebase CLI when attempting to run a command
- Genkit using retriever context and tools causes error
- Not able to verify squarespace domain for non-www-prefixed url in firebase
- Firebase Auth saving users without identifier with OIDC
- Firebase Admin SDK cant upload to storage bucket folder
- Accessing Firestore via Cloud Function
- Problem with executing asynchronous Cloud Function
- do you need to create a separate collection/document for reading an aggregated document with firebase cloud function
- httpsCallable is not a function when calling a Firebase function
- Requests for referrer are blocked when trying to sign in anonymously to Firebase
- Error: Text strings must be rendered within a <Text> component in React Native when string is not empty
- Android Studio's project gradle file changed?
- Cannot display Data from my layout viewBinding
- How to send one to one message using Firebase Messaging
- How to listen to button triggers using Firebase
- Error with go_router while doing a phone auth with Firebase on iOS
- Critical security vulnerability in reCAPTCHA Enterprise
- 404 page not found when running firebase deploy
- Delete a specific user from Firebase
- How do I get flutterfire configure command to work?
- How to install firebase extension in not-interactive way
- Angular Firebase (AngularFire) CRUD SHOW and EDIT pages?
- Firebase messaging, where to get Server Key?