0

i have following security rules:

    {
      "rules": {
        "users": {
          ".read" : true,
          "$user_id": {
            ".read": true,
            ".write": "auth != null && $user_id === auth.uid"
          }
        }
      }
    }

My data looks like:

    {
    "users" : {
    "JIZW3KswDDMggo9U1WwCoIamHaU2" : {
      "-L8s34CZsCgodNxgF09G" : {
        "email" : "[email protected]",
        "isAdmin" : true,
        "name" : "Mannu Sharma",
      },
"UKtLdQzPdWa2KJ10iXrjuV80JSd2" : {
      "-L8LTf95dxqQdjYHhFDB" : {
        "email" : "[email protected]",
        "name" : "Neeti Singhal"
      }
    },
    "YQCXFjnU8jaXR9xUXIgknp18Z3A3" : {
      "-L8TQTFiGLEuxCTbbrQ7" : {
        "email" : "[email protected]",
        "name" : "John Teslie",

      }
    }
    }

My angularfire2 code to query data is:

getUserByEmail(email:string){
    console.log("start of getUserByEmail with email:" + email)
    return new Promise((resolve, reject) =>
      {

        this.db.list("/users", 
          ref => ref.orderByChild('email').equalTo(email)
        ).valueChanges().subscribe(
          res => {
            console.log('response:' + JSON.stringify(res))
            resolve(res)
          },
          err => {
            console.log(err)
            reject(err)
          }
        )
      })
  }

I have login with facebook implemented. So when i login with my email [email protected] and do the search it returns me my record. But any other search does not work.

To my understanding my security rule let anyone query the users data. So what I am missing?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Vik
  • 8,721
  • 27
  • 83
  • 168

1 Answers1

1

Your data is double-nested: you have /users/$uid/$pushId. That last level is not needed, and means that you can't query for a user by their email. For more on this general case see Firebase Query Double Nested.

But in this case the fix is quite simple: I don't think you need the level with the push IDs (-L....) in your JSON. You're likely adding the user data by calling push(), which isn't needed. Remove the call to push(), probably use set() it its stead, and you should lose that extra level in the JSON tree. With that level gone, you can query /users by the email property of each user.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807