1 00:00:00,210 --> 00:00:04,950 In this lecture, we're going to modify our fire based rules for production. 2 00:00:05,280 --> 00:00:09,630 We've overlooked some of the rules during the development phase of our application. 3 00:00:09,990 --> 00:00:15,150 The database rules in Firebase are not entirely secure at the moment. 4 00:00:15,450 --> 00:00:19,920 Any user who is authenticated can modify the documents in the database. 5 00:00:20,460 --> 00:00:23,160 This includes documents that don't belong to them. 6 00:00:23,430 --> 00:00:24,540 Let's fix this. 7 00:00:24,840 --> 00:00:27,600 Open the Firebase console in your browser. 8 00:00:28,380 --> 00:00:31,380 Navigate to the rules page for the database. 9 00:00:33,750 --> 00:00:40,620 We have two rules, one for Reading and another for writing, the rule for reading the database is fine, 10 00:00:40,620 --> 00:00:41,400 as is. 11 00:00:41,640 --> 00:00:45,180 We aren't storing anything super sensitive in the database. 12 00:00:45,480 --> 00:00:47,730 The writing rule needs to be changed. 13 00:00:48,090 --> 00:00:54,090 We want to create rules for when we write, create or delete documents from the database. 14 00:00:54,330 --> 00:00:57,930 We can create special rules for each of these scenarios. 15 00:00:58,200 --> 00:01:03,240 By default, Firebase will use the writing rules for all three scenarios. 16 00:01:03,600 --> 00:01:06,810 However, it's not the best way to write our rules. 17 00:01:07,050 --> 00:01:10,980 Currently, the rules are checking if the user is authenticated. 18 00:01:11,250 --> 00:01:14,760 If they are, they will be allowed to edit any document. 19 00:01:15,180 --> 00:01:19,140 We should restrict their editing capabilities to documents they own. 20 00:01:19,470 --> 00:01:28,530 We're going to change this rule to the following if request not asked UID equals equals resource dot 21 00:01:28,530 --> 00:01:30,060 data dot uid. 22 00:01:32,960 --> 00:01:37,910 The resource object refers to the document the client is attempting to access. 23 00:01:38,270 --> 00:01:40,490 It has information about the document. 24 00:01:40,850 --> 00:01:43,820 We can access the data with the data property. 25 00:01:44,210 --> 00:01:48,680 Through this object, we can access any of the values in the document. 26 00:01:49,370 --> 00:01:51,230 The condition we're writing checks. 27 00:01:51,230 --> 00:01:58,730 If the ID on the client matches the ID in the document, we assign the user ID to the ID property. 28 00:01:59,120 --> 00:02:04,910 If the client attempts to write to a document they're not the owner of, the request will be rejected. 29 00:02:05,270 --> 00:02:08,900 This is a much more secure way to limit writing permissions. 30 00:02:09,380 --> 00:02:14,990 There is one problem with the rule it will be applied to creating documents in this collection. 31 00:02:15,290 --> 00:02:19,970 We can't obtain an ID from the document if it doesn't exist to begin with. 32 00:02:20,390 --> 00:02:25,310 We still want to be able to create documents, but this rule will reject us. 33 00:02:25,610 --> 00:02:30,110 We'll create a rule specifically for creating documents below. 34 00:02:30,110 --> 00:02:36,780 This rule will add the following allow, create call in if request walked off. 35 00:02:37,010 --> 00:02:39,380 Exclamation point equals null. 36 00:02:42,040 --> 00:02:49,270 This rule is the same rule we had before, we're going to allow any authenticated user to create a document. 37 00:02:49,540 --> 00:02:56,170 There is one less rule well, right, if users attempt to delete a document, they'll be rejected because 38 00:02:56,170 --> 00:02:58,930 we haven't covered that scenario in our rules. 39 00:02:59,350 --> 00:03:03,280 We'll add the following to the rules Allow delete colon. 40 00:03:03,460 --> 00:03:10,630 If Request Dot off dot uid equals equals resource that data uid. 41 00:03:13,500 --> 00:03:18,090 The rule for deleting documents is the same as the rule for writing documents. 42 00:03:18,420 --> 00:03:24,060 We want to limit what documents the user can delete by making sure they own the document they're trying 43 00:03:24,060 --> 00:03:24,720 to delete. 44 00:03:25,170 --> 00:03:27,960 We're finished with writing the rules for the database. 45 00:03:28,140 --> 00:03:29,190 Let's publish them. 46 00:03:31,760 --> 00:03:34,400 We're not going to modify the storage rules. 47 00:03:34,610 --> 00:03:38,240 They are fine, as is Firebase is ready for production. 48 00:03:38,540 --> 00:03:41,810 So let's move on to deploying the app in the next lecture.