Validate id exists ignored in Firebase

Question

I'm using Firebase to add Users. I also have a Newuser, which is an empty user that can be initialised using an id (the id's come from tags I already made).

Now when a newuser is initialised, Firebase should check if the given tagid is already used in the users table (as a key).

This is what my Users and NewUser data looks like;

This is the Firebase Rule I'm applying which is working in the simulator

{
  "rules": {
    ".read": true,
    ".write": true,
    "newuser": {
      "tagid": {
        ".validate": "root.child('users/'+newData.val()).val() === null"
      }
    }
  }
}

But for some reason I'm able to add this newuser record, using an existing tagid using the Firebase REST API. (with Postman)

Are you using the admin API to create the data? If so, rules are ignored by the admin API. — Kao, Oct 30 '17 at 12:40
Thanks for your answer; I'm using the following guide: I don't think it's the admin API, right? https://firebase.google.com/docs/reference/rest/database/ — Miguel Stevens, Oct 30 '17 at 12:43
No, you're right. Can you include the request you're sending? — Kao, Oct 30 '17 at 12:49
https://stackoverflow.com/questions/33794709/firebase-validate-with-newdata?rq=1 — Kao, Oct 30 '17 at 13:04
The only data I'm inclusing is {"tagid": 3}. Thank you i'll take a look at the other thread. — Miguel Stevens, Oct 30 '17 at 13:08

Grimthorr · Accepted Answer · 2017-10-30T13:36:27.090

The rules you've configured don't quite match the database structure you're working with, so you'll need to try something more like:

{
  "rules": {
    ".read": true,
    ".write": true,
    "newuser": {
      "$pushid" : {
        ".validate": "root.child('users/'+newData.child('tagid').val()).val() === null"
      }
    }
  }
}

In the above rules, the $pushid value will match any key at /newuser/$pushid (for example, your key of -KxhGb7zZy8cZM5Pkntz), and then using newData.child('tagid') will obtain the tagid value from that new data.

Using a $location value in the rules is like a wildcard variable, so it will automatically match any node name at that location. From the $location rules documentation:

A variable that can be used to reference the key of a $location that was used earlier in a rule structure.

When you have a $location in your rules structure, you can use a matching $ variable within your rule expression to get the name of the actual child being read or written.

This is required with your current structure, because when you're adding to your newuser node, your payload looks something like this:

{
    "newuser" {
        "$pushId": {
            "tagid": int
        }
    }
}

You can test your rules in the Rules Simulator in the Firebase database console. In my tests of this, the write was denied when I had /users/1 already in the database and my payload included the value of tagid: 1:

Thanks for your answer! How do you get that $pushid in the database rules tester? — Miguel Stevens, Oct 30 '17 at 13:18
@Notflip Using a `$location` value in the rules is like a wildcard variable, so it will match any node name at that location automatically. I've added this clarification to my answer. — Grimthorr, Oct 30 '17 at 13:33
I'd love to know the reason behind someone's recent downvote of this answer so that I can improve it... — Grimthorr, Nov 06 '17 at 09:35
that's odd your answer explains it perfectly and is well structured. — Miguel Stevens, Nov 06 '17 at 11:36

Validate id exists ignored in Firebase

1 Answers1