FirebaseDB Rules

Hi all,
I need help to understand security rules on realtime database. (Consle REALTIME, Rules)
I red the documentation :

But either i have a bug somewhere or i do not set the correct rules, but even with rules
my app have access to firebase at the correct node (TAG)
to better understand, i'started a new app from scratch and make it as simple as possible :

Firebase Extension Properties :
Blocks :

And the firebase :
The problem is that the app run perfectly with full access !!, i enter the name clock to "Read value FB" and i got the firstname even if the rules (Read/Write) is set on False ?

Does somebody see what is not correct ?

Mny Thks

I couldn't replicate your problem, once I change rules in firebase console and publish them
"rules": {
".read": false,
".write": false

in companion I get the following message

1 Like

Hi Dora,
Thks for your reply.
That's really strange.
I've started a new project, copy screen1, add a refresh extension Firebase with, put no FB Token :
And copy the same blocks, let rules False in FirebaseConsole
Result : The APP read the datas and give me the firstname ...
Maybe i should create a newrealtime database ?

Do you mean it getting value as tag
Value = tag

Have you tested after publishing rules ?


1 Like

Yes you need to change rules false to ture

Developer :
Yes. The 1st textbox is the TAG, the 2nd is the value in return (firstname)
Ex: if i enter "Dupont" and i click READ FB, then i got "Paul"
Dora :
Yes, i've published and tested after.
Due to the fact that i've also used this TEST FIREBASE for the Authentication, for trying differents options on the console ... maybe starting from scratch with a new FIREBASE will be better

You store value as paul/text box 2
Then value = Paul
You can't get tag as value
Your tag is dupont you can't get it as value

You can make blocks like this

Firebase store value
Tag =1st name
Value = your 1st name

Firebase store value
Tag = 2nd name
Value = your 2nd name

Firebase get value
Tag =1st name

restart everything: browser/app project/companion.

In the firebase console, change "Paul" to "David".

In your app call the tag "Dupont"

What comes back ?

1 Like

Hi Developper,
Thks, i can do the changes in order to improve the request to firebase but it do not explain the security problem. I wrote the block very quickly since the objective wasn't to get the datas in a clean way but more to test the security
I will do that and come back :slight_smile:

1 Like

I did the restart as you mentionned. I've also changed "Paul to David" and now i've the 'expecting' message : "FirebaseError, Permission denied"
and if i change the rules to 'true,true' => Access and 'False,False' => No access
Congratulation ! :grinning:
I don't understand anything but it correct now ?!

1 Like

I believe "something" got lost or stuck along the way, and you were working with cached and not live data and settings.

A refresh... (the good old turn it off and on again) got everything working as it should. The companion app in particular (in my experience) often needs a good refresh to get itself correctly set up with the newest settings/blocks/components/files in assets - and especially extensions.

1 Like

Thanks a lot.
i will now continue with the extension FirebaseAuth in order to give Read/Write access Firebase only to User that have authenticated.
I will open another post in case of question


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.