I have the following Firebase rules, and I'm having trouble getting validation to work as expected:
{
"rules": {
".read": true,
".write": true,
"specialItems": {
"$itemid": {
".validate": "root.child('items/' + $itemid).exists()"
}
}
}
}
The intention of my .validate rule is that an entry in the 'specialItems' list is only accepted if it already exists in the 'items' list. Unfortunately Firebase is allowing me to add to specialItems regardless - no doubt because I misunderstand how validation should work.
I'm using the app engine python urlfetch API to talk to firebase via REST, and using the PATCH method.
auth_payload = {"uid": "custom:1", "auth_data": "foo"}
token = create_token(FIREBASE_SECRET, auth_payload, {"admin": True})
url = "https:/<my-app>.firebaseio.com/specialItems.json?auth=" + token
payload = json.dumps({"myItem": "ok"})
result = urlfetch.fetch(url=url, payload=payload, method=urlfetch.PATCH)
When starting with an empty database this leaves me with a complete data tree that looks like:
specialItems
-- myItem: "ok"
I was expecting this tree to fail the validation rule. I've also tried using PUT, which has identical effect:
url = "https://<my-app>.firebaseio.com/specialItems/myItem.json?auth=" + token
result = urlfetch.fetch(url=url, payload='"ok"', method=urlfetch.PUT)
One other thing to note is that I currently need to authenticate with 'admin: True' in order to write anything, despite my rules seeming to indicate that anyone should have read/write access. Makes me wonder whether my rules are being applied at all - if that's the case, then I'm not sure how to enable my rules - they're right there in the 'Security & Rules' pane. I'm also assuming here that admin is not allowed to violate schema validation rules.
Try the following code
You can use the simulator on the dashboard to test your rules. Make sure you have checked 'Enable Anonymous User Authentication' if authentications is not required, authenticate, and then enter your url and check for read and write results.