Why can't I change the priority of my link to Firebase (Permission denied)
In my Firebase , I have an object that looks like this:
person
---- name
---- age
When I try to create it for the first time, I use this command:
firebaseRef.child("person").setValue(...)
This works great.
Sometimes I want to create this entry with priority and it can be done like this:
firebaseRef.child("person").setValue(..., myPriority)
This works great.
However, the priority must be updated later. I tried the following:
firebaseRef.child("person").setPriority(myPriority)
Unfortunately this fails with the "Permission denied" error message. Why is this?
The safety rules for this link are as follows:
"person": {
".read": true,
".write": true,
"name": { ".validate": "newData.isString()" }
"age": { ".validate": "newData.isNumber()" }
"$other": { ".validate": false }
}
As you can see, node is read and written.
source to share
Problem:
The reason for the "permission denied" error is obviously in the security rules.
The problem is that the priority is stored in a "hidden" property .priority
, which is rarely mentioned in the documentation.
This property does not appear in Firebase Forge (dashboard), but it can be seen when exporting raw JSON.
Now the directive "$other": { ".validate": false }
does not allow checking any property other than name
and age
. Therefore, the "Permit Denied" error occurs.
However, I don't know why this object can be written in the first place when used setValue(..., myPriority)
. This should also throw an error.
Solution (half way):
It now seems obvious to add a new directive to the security rules that looks like this:
".priority": { ".validate": true }
But it doesn't work. Firebase Forge's answer:
Key names can't contain ".", "#", "$", "/", "[", or "]" (unbound names start with "$")
This means that we cannot properly solve this problem. We have to tweak our existing security rules with one flaw: the rule has "$other": { ".validate": false }
to be removed when we want to update the priorities, leaving us with a flawed check.
source to share