Intermediate topics in Firebase Security Rules

Intermediate topics in Firebase Security Rules - Firecasts

Рет қаралды 17,084

Firebase

Күн бұрын

Пікірлер: 48

@Drewmssu 3 жыл бұрын

Idk why this video only has 365 likes. This is real gold

@MartinRyleOShea 4 жыл бұрын

This is the most useful content I have gotten from this channel. It brought me from "how am I ever going to make this succure" to "I better watch out for the edge cases". Thanks so much for the great job!

@albertgao7256 2 жыл бұрын

Lord, this is so good, I would careless about the DSL and just do everything in my own backend, but now I can unit test them! I can add them confidently in my clientside code, and save loads of code on the backend side, pure gold, thanks a lot!

@mysomervda 4 жыл бұрын

Excellent, thanks for this one Todd. I seem to get to this point, each time I create new fire store project. It’s nice too have all this info in one video. Looks like there is a bunch of new useful capabilities in security rules to simplify the rule writing.

@smorebytes 4 жыл бұрын

This is gold. Thanks so much Firebase team!

@GAschill706 4 жыл бұрын

This is the best video I’ve seen in this series so far. Detailed rules explanation and the new tricks of debug and mapdiff AND unit tests... 🥳 Thank you 🙏

@RobinYoulton 4 жыл бұрын

This was super informative, I will be using this video as a reference again and again. I'm creating a retail app with customer messaging and sharing (Firestore at the core), so I really need to utilise these security methods - thank you Todd & Rachel!

@christophercarson4149 4 жыл бұрын

Excellent video. One really helpful emulator feature would be to log out which rule "allowed the operation." I came to this video after beating my head against the wall trying to figure out why a create succeeded when it should have failed. I have two create rules for the path.I was was forgetting to set up the database such that the first rule failed. So my second rule (the one under test) was never getting evaluated. Your debug("this is getting called") tip helped me figure this out. But it might be nice to be able to see this in the log automatically. Thanks!

@nathanpannell82 4 жыл бұрын

This series of videos is super helpful and very clear. I would love a Firecast on how to unit test firebase functions. Especially functions that react to and modify firestore and realtime database. (in the emulators). Thanks for the great videos!

@cgadam86 4 жыл бұрын

LOL. "Goodbye to our wonderful viewers" hahaha. Thanks a lot to both of you and the Firebase team for putting together this super easy to follow and didactic videos. It means a lot to gain adoption of a complex and awesome platform like Firebase is!

@davidkim2016 4 жыл бұрын

That was incredible! I would love to see what security roles can be placed around following users, and being notified based on another user's specific actions.

@dc5 4 жыл бұрын

This is awesome. Definitely learned a lot! Thank you!

@AchillRudolph 4 жыл бұрын

much

@maniyalraj1 4 жыл бұрын

Consider a social app where user_abc will be allowed to see 7 out of 10 fields for locked users unless the user_abc unlocks (by paying some credits) a particular user user_def. After unlock all the fields for user_def can be visible but only 7 fields for still other locked users.

@teze 2 жыл бұрын

I really like this guy. Super awesome engineer.

@SariAlHiari 4 жыл бұрын

Excellent content. Would like more discussion on rules and patterns pertaining to queries. Something like collection("orderItems", ref => ref.where("orderId", "==", someOid") ... and how the security rules should only allow the creator of that orderItem to read it (stored in creatorId on the document).

@vballaddict75252 3 жыл бұрын

This is great and very helpful. I *DO* wish I could just call out "Hey Rachel" to help in real time!! ;-)

@b0otable 4 жыл бұрын

@19:05, I would get errors if I tried to use let requiredFields. If I just directly put the list into .hasAll(["authorId"...]) it works

@b0otable 4 жыл бұрын

@@ToddKerpelmanCorp Thanks for the quick reply! I'm actually using let within the function. To simplify, I have created the following block: // function postHasOnlyAllowedFields() { // return request.resource.data.keys().hasOnly(["authorId", "visibility", "content", "headline", "photo", "tags", "location"]) // } function postHasOnlyAllowedFields() { let requiredAndOptionalFields = ["authorId", "visibility", "content", "headline", "photo", "tags", "location"] return request.resource.data.keys().hasOnly(requiredAndOptionalFields) } The first function works and all my tests run. When I uncomment it and comment out the function below, all tests fail with Error: 3 INVALID_ARGUMENT: Error compiling rules: L48:9 missing ';' at 'return' L48 refers to return request.resource.data.keys().hasOnly(requiredAndOptionalFields) I have also added a ';' to the end of L48 but it still has the error. I also get the exact same issue with the postHasAllRequiredFields function as well. EDIT: I solved the issue. The error had me looking in the wrong location... Needed to add ';' to the end of: let requiredAndOptionalFields = ["authorId", "visibility", "content", "headline", "photo", "tags", "location"]

@myname5667 3 жыл бұрын

Is it possible to work with the items of the set that is returned by MapDiff? Like get one of the items and check it for some value (not just with hasAll() hasAny(), really access to one item) You could look that only one property of one item in one list has changed if you can do this.

@Lestibournes 3 жыл бұрын

It would be helpful if I could use a Cloud Function that resolves to a boolean in the security rules. I have a case where I need to check for and prohibit overlaps between events on a calendar and right now that forces me to use Cloud Functions instead of continuing the serverless experience.

@ricolippert9505 4 жыл бұрын

Thx :) Maybe some DDos Protection?

@vballaddict75252 3 жыл бұрын

The biggest request I have for a follow-up video would be one describing the easiest way to add a custom auth claim to an app. Esp for someone on the Sparc plan who can't use functions. I, for example, am creating an app that we are rolling out to only a few users. I'm currently handling user privileges by setting a field in a FireStore document that cannot be written to (i.e. all the changes are done via the Firebase console). If the app is successful and we roll it out to a lot of uses, how will I add the custom auth claims?

@ChaviAnyo 4 жыл бұрын

Thank you for your videos! They helped me a lot, but if I missed something, I would say transactions and batches, how can we protect some relations that they has to be done in atomic operations.

@henrybasson7614 4 жыл бұрын

Thanks for this! Please can you extend and also check that a post object with an array has the correct data format and length. For instance a post document can have an array with object values. So you would need to iterate through the array and check for array length and the nested object values for data type and size. A spammer can still spam the database by making a string 10 000 characters long instead of 200 in the nested object of the array. doc: { array: [ // max 5 objects in array {string: '200 long max', string2: '2000 long max, 1 long min' number: > 1 < 200 }, {string: '200 long max', string2: '2000 long max, 1 long min', number: > 1 < 200 }, ] }

@hipdev_ 4 жыл бұрын

Finished tutorial here, github.com/hipdev/firebase-rules-emulator-suite-tutorial

@omarallaoui8382 4 жыл бұрын

Is there a way to limit access to certain fields of a doc for read-requests as well?

@AhmetKizilay0 4 жыл бұрын

This was very useful! Thank you!

@antuancaraballo9691 4 жыл бұрын

Fantastic! I have been waiting for this :)

@bosung90 4 жыл бұрын

Finally a solution to fields that should not be modified ❤️

@martingagne3997 3 жыл бұрын

Thanks! This was very helpful. What was the purpose of the tail -f command at the end?

@goku21youtub 4 жыл бұрын

I Have a completely different question. Can i use firestore for my own app (which i wont publish and just use for myself ) for free forever ? or will my test-firestore db deleted after a period of time ? if i ever use an app commercially , am i allowed to use firestore free plan for that too ? ok thats 3 questions lol

@maniyalraj1 4 жыл бұрын

You explain very clear and well ❤️

@danwu3788 4 жыл бұрын

This is awesome. What do you recommend for firestore documentation of collections? I know firestore is supposed to be schemaless, but we have 2 dev teams on web and iOS using the same firebase project, so enforcing some schema would be nice. Something like TypeScript but for firestore rules?

@SalarYazdjerdi 4 жыл бұрын

Hi Todd, these videos are amazing. Thank you so much! I have an important use case that could greatly change what I change with cloud functions vs client code: How do I say a User can only add or remove their id from a specific array in a document. And How do I say a user can only update a specific entry in a map where the key is their userId Thanks!