0

I received a warning from Google (via e-mail) that the following realtime database rules are unsafe. It says that every authenticated user can write into the whole database, but I think that this is not true. Am I wrong?

The 'schema' has two database objects: 'items' and 'users'. The rules are as following:

{
  "rules": {
    "items": {
      ".read": true,
      ".write": "root.child('users').child(auth.uid).child('roles').child('admin').val() == true"
    },
    "users": {
      ".read": true,
      ".write": false
    }
  }
}

Thanks and regards Simon

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84
Simon
  • 454
  • 7
  • 18
  • I won't say `".read": true` rule for `users` node is secure as you are exposing all users' data to everyone (that might potentially include confidential data). If that's your use case and all information is public, then you can ignore the warnings imo. – Dharmaraj Sep 10 '22 at 13:26
  • I don't think these rules should trigger the alert, but if they continue to do so you can disable the alert: https://stackoverflow.com/questions/55388991/stop-firestore-warning-that-everyone-can-read-data – Frank van Puffelen Sep 10 '22 at 14:30
  • @FrankvanPuffelen Thank you very much for your answer. The alert was triggered again couple of hours ago. Seems to be a false alert in that case. Thanks and regards Simon – Simon Sep 10 '22 at 19:21

1 Answers1

0

I seem to be correct and the write rules inhibit some users to write into the database, so that the warning appears to be a false warning.

Simon
  • 454
  • 7
  • 18