This was the best(most comprehensive and actually useful) talk out of all Firebase talks so far :thumbsup:

It is pretty impressive he could convey that much info in just 43 minutes. Very good technical info, also being very well presented!

instead of reading a lot of docs, I watch this. It's so useful

I bet the live audience was bewildered. I had to pause/rewind very often to absorb everything. But this video helped me out HUGELY with my project. Thumbs up!

I'm quite critical on how people teach things and I have to say that this was one of the best explanations for anything I've ever watched. Bravo!

Great presentation Jacob! That was a goooooooooooaaaaaaaaaal!

I think that everyone who watched this talk (except that thumbs down guy) agrees that it's probably the best Firebase talk, and a very high-quality one, which is really great for a such important topic as security! I don't have much experience in security (apart from avoiding obvious flaws), but as an Android Developer, I found this very understandable. Thanks a lot Jacob, and thanks to Firebase and Google too for making it possible!

This was something that made some of the rules understandable! Very good talk :D

Jacob I finished my last app last June from the Udacity Android Nanodegree using Firebase. Your explanation is soooooo good mate. It is very easy to understand....Thanks for that...

One of the amazing videos i have watched about Firebase!

318/5000 As you can validate what they say about security, when someone rides a snifer over the network and the user who has rights to read and write, access DB the key travels in the package to FIREBASE, this is intersected by the SNIFER and can use the key to access everything you want from that user.

Exactly what i was searching, Thanks!

why not changing database rules as the storage one? it would be more consistent and easier to use :c

Still one of the best Firebase related talks!

This video is AMAZING, even for a newbie like me I was able to build my security rules just by watching this video.... like 10 times haha. Thanks a lot Google!

Nice presentation, Jacob. Security rules is quiet hard to understand but you've done it well, so new developers can understand it. But I am confused on how setup security rules for data which expands randomly?

it was taken too much efforts to learn these all thing back while when firebase release and this talk just give all in one shot, well thumbs up. and questions... 1. can we access database data in storage rules? 2. when will this new rules language will be available for database or will use bolt?

was wondering all the time what is the server side language in firebase.. this answers it.. no language, just Rules :)

Can somebody help me with a few rules? (only need 2 to secure my DB)

ditto, one of the best talks on a critical part of firebase 😀

This is a phenomenal presentation

Where do you get "gamesID" from?

Hey Jacob, you've done a great job with this presentation! I was struggling to understand this stuff and you definetely saved me a lot of time! Thx a lot!

at 25:18 he says because read rules are ORed together the write overall will be allowed.This may not be right , I think he mistakenly said write it is actually read which is allowed because of rule cascading.

+Jacob Wenger In the app that will read this data how would you go about finding the public metadata to display to the users what games are availabe? The read rule will not allow you to enumerate the key values for each game so you could query the metadata information? ex. You need to know the key (push id) in order to read the isPublic boolean in the metadata object. /games/-KHajPD89j1uEPr8-E5i/metadata/isPublic I'm trying to build a very similar type of structure for a idea that i have but i have a hard time making the data structure and how to manage security, i also want to control if a game is public or not and should be displayed to the user.

Thanks yellow guy! Made my day :D

Great presentation, you open a door to the development

Excellent presentation, truly useful, thank you immensely !!!

This guy should act in Big Bang Theory :-) Seriously great stuff. Yet some question remains. In your example the users are unable to get list of "games" as they have no access right to that. $GameID is pretty much random. How do they setup an observer to "games" node to list the available gameIDs without having access? If I give them access to "games" then cascading applies. It is a bit unclear.

Hi Jacob. Thanks for such a good talk. Right now I'm migrating from Parse, but I've run into a problem that I can't figure out. May be you can give me a hint. I have an app where users can buy tickets to attend to training classes. With the tickets they can select which classes they want to attend to, and reschedule them. Let me show you an example: - Lets say a user buys tickets for 4 classes. - Then he assign them to 4 training classes. - One day he can't assist to one, so he deletes it and assign his ticket to a different one. The problem is that I need to keep track of the number of available tickets in order to let him assign them to classes, but if I grant him ".write" permissions, a user with technical knowledge could exploit this configuration and grant him unlimited classes. I also thought about using a counter of available tickets, but again, I would have to grant the user permissions to update this field and, eventually, run into the same issue. Any thoughts? Thanks again! PD: I hope I explained myself well.

The issue is poor documentation.

best explanation ever.

Nice presentation! Helped me clear a lot of the doubts I had.

At 12.50 ..shouldn't it be a &&(AND operator) instead of a ||(OR operator)? As anyone can still access the game data even with a anonymous authentication.

I understand the principle and the need for security rules, and I am intending to write them as required. My questions is this... in the instance that I forgot/missed to put a rule in for a particular branch in the json tree... how will a user/anyone know the paths of my json tree to go go malicious adds/removes in the json tree?! In my example; I have an iOS app that has the UI, numerous viewControllers, that do all the add/remove of any info/objects to the Firebase backend... how would an end user even know how to manipulate the paths in my Firebase backend when they are not exposed to my Firebase structure!?

firebose connection string and data is visible, if we access data by browser, what can be done about that

The API key and project name shown at 7:10 are not known to public, right? Does APK decompiling reveal these details?

Great talk! Given the content , incredibly clearly described. A+++

Amazing! Thank you Jacob! Perfect explanation

Why cant I host the firebase-data on my own server? Like RxDB or rethinkdb..

thnaks you very much now i understand the roles better thanks.

Flawless... thank you!

Awesome explanation

hi, Jacob Please can you direct me to how did you add Admin user to Realtime database

Excellent this made many things clear

how to use username/password combination authentication ??

Amazing explanations!

how to skip children node which the user has no privileges to visit?

Can we download the slides somewhere?

This is soooo well explained :)

Is this information still up to date?

can we retrieve data of authentication users

Can we borrow your code for example?

Very good information! Is there a version of this presentation that's meant just for those of us who are brand new to FireBase? Introducing all the old ways while explaining the new is really confusing when you're someone who never used the old to begin with. It feels like the presentation goes in circles over and over again for about the first half or so. I understand that it's important to do that for those who are long-time FireBase users, but for someone who's new, the first half of the video seems like a lot of "this would work, so let's do it, but no, that doesn't work, so we'll do this here, even though that doesn't work either, so now we'll do this..." repeatedly. It's too easy to get lost.

Such a great tutorial :D

Wow, awesome.

31:45 lol

At 16:45 he introduces the metadata object to put all the public elements in. I am trying to do something similar in my project, and my question is, how do I collect the metadata into a JavaScript object? IF someone is interested in helping, here is a link to my question on Stack Overflow: stackoverflow.com/questions/46007534/getting-only-public-data-from-firebase-references-children

Great presentation but I think this is the worst part of Firebase.. quite primitive. If a slick UI was built for the rules it could be better.

It's not soccer, it's called football;)

14:48

Most chairs are empty.....

He has made it too complex