I need some help with securing my database.
Those are my security rules:
I've tried this code to give access to each user to read and write his own data:
{
"rules": {
"Users":{
"$user":{
".read": "auth.token.phone_number==$user",
".write": "auth.token.phone_number==$user",
}
}
}
}
My database looks like this (i'm using phone numbers instead of uid):
but for some reason when I run the firebase rules playground with a given auth.token.phone number that equals to the exact location I gave for example i get read option denied.
and it happens also within my app with my app can you guys help me to solve it?
In provider type ::Choose Custom
And In payload use :
{
"provider": "anonymous",
"uid": "********",
"token":{
"phone_number":""
}
}
Rules are:
"$phone":{ ".read":"auth!==null && auth.token.phone_number===$phone", ".write":false } }
create a new data path admins and store the phone number as a child and do this. sorry if this didnt work as i am also a beginner
root.child('admins').child(auth.token.phone_number)
Related
I´m writing an little application to create new user on an Azure AD.
Even following all the instructions in Create User Reference I allways get an Http Error 400 (Bad Request).
The only thing I´m not providing is an attribute named onPremissesImmutableId. Assuming I must provide it, problem is I don't know where to find such a value.
This is the Json I'm posting:
{
"accountEnabled": true,
"displayName": "Name Surname",
"mailNickname": "Surname",
"userPrincipalName": "name.surname#XXXX.onmicrosoft.com",
"passwordProfile" : {
"forceChangePasswordNextSignIn": false,
"password": "p#ssw0#D"
}
}
Any ideas?
TIA
Just after I posted the question I had the idea to review the password policy active on my AD tenant and I found out that it was the problem. So I just had to set a new password to match the policy and everything worked just fine.
If the user logins to the website in morning, watson would say Good Morning!
If the user logins to the website in afternoon, watson would say Good afternoon!
If the user logins to the website in evening, watson would say Good Evening!
I've written like this
{
"conditions": "now().before('12:00:00')",
"output": {
"text": {
"values": [ "Good morning!" ]
}
}
}
But after closing the json editor the code is changing to like this:
{
"output": {
"text": {
"values": [
"Good morning!"
]
}
}
}
Can anyone please say what the solution is? Please provide the entire code for
["good morning,good afternoon,good evening"]
`
You can't define conditions in the JSON editor. So it deletes any field that is not part of the schema.
You can set the condition within the tooling UI at the IF statement section. Just paste in your condition part. As the functionality has recently changed, you will need to do the following.
On the Welcome node, click the "Customise" Cog. Select "Allow multiple responses".
Set your conditions now at each response part.
If you are using the workspace API, then I recommend to export your workspace to see how a node block is correctly structured. Alternatively you can check the API spec.
https://www.ibm.com/watson/developercloud/conversation/api/v1/#create_workspace
I would like to know how to display a file when a user types something.
Ex: Show me the course details
Output: The file(pdf format) which is on my PC gets displayed.
Basically, you need to know how to work conversation: is one API for creating Intents, Entities and your Dialog flow.
Your application will access all nodes with the return from the API, and you will create conditions to get something for know if the user asked something about "Show me the course details".
I recommend to you create one intent like #aboutCourse and show examples to Watson know if the user will ask something with this purpose.
Something like:
Watson says: Hi! How can I help you?
User: Please show me the course details
Watson will recognize your intent and response what you paste within the node with the Intent condition #aboutCourse.
Make sure if the user really want this with:
Watson says: You really want to know details about the course?
User: yes / ok // or something to confirm
Or you can add some Intent confidence level for this node condition like: intents[0].confidence >= 0.75
And your code will check if the Intent is #aboutCourse and the entity is #yes, and do something in your application.
Or, you can create one context variable too, because, depends on your node flow, the intents will modify within your flow because every time Watson try to recognize what the user wants.
With your dialog flow, you will create one context variable and check if user says yes, like:
{
"context": {
"courseConfirm": "<? #yes ?>" //create one intent with confirm examples and value equal yes
},
"output": {
"text": {
"values": [
"Ok, you say #yes. I'll check, one moment."
],
"selection_policy": "sequential"
}
}
}
And within your application:
function updateMessage(input, response) {
if (response.context.courseConfirm == 'yes') {
//do something with code with code
}
}
Or you can create one function inside my example, like this answer.
Obs.: This code example is with conversation-simple project, from IBM Developers, but you will do something like my example with the same logic:get the return from API and do something within your application.
I've recently starting exploring firebase as a authentication solution for my angular JS single-page website, and it seems perfect. However from a security perspective I'm not very sure about keeping the logic on client-side in my application.
Suppose I have a check 'isProfileCompleted' for a customer who signs-up on my website, and is supposed to complete his profile. I'm keeping the data in a JSON keyed by the UID with exclusive write access to the customer only.
The problem is, now that the client has write access to his data, he can easily bypass client side validation checks by simply modifying javascript in his browser. Also, the client can easily update his account_type to author/moderator, as it's his data. Does firebase provide a solution to this problem?
Let me know if it's not clear, so I will try to elaborate further.
Thanks.
You can secure your data with Security Rules.
Firebase Security Rules are an expression (does the true evaluate to true/false) based rules language that live on a Firebase server and validate whether the current user can access your data.
Take the following data structure:
{
// the users of the app
"users": {
"1": {
"name": "Sanjay",
"isProfileCompleted": true
},
"2": {
"name": "David",
"isProfileCompleted": false
}
}
}
By default anyone can read or write data to your Firebase database. To fix this you can write security rules.
Security Rules are essentially an annotation on your data structure:
{
"rules": {
"users": { // /users is read only
".read": true,
".write": false
}
}
}
Security Rules give you access to a set of server variables to check your rules against. The most commonly used one is the auth variable which lets you check against the currently authenticated user. You can also create wildcard variables with the $, which acts a route parameter creating.
{
"rules": {
"users": {
// users can read and write their own data, but no one else.
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
}
}
}
}
You can even write rules to validate the structure of your data.
{
"rules": {
"users": {
// users can read and write their own data, but no one else.
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid",
".validate": "newData.hasChildren(['name', 'isProfileCompleted']),
"name": {
".validate": "newData.isString()"
},
"isProfileCompleted": {
".validate": "newData.isBoolean()"
}
}
}
}
}
But the Bolt compiler is a better solution for this, as it allows you to create Types to define schema.
You can write your Security Rules in the Firebase App Dashboard or you can upload them via the Firebase CLI.
I have a user object in my firebase db that contains some sensitive date (e.g., email).
For situations where I need to fetch user information (who are not the current user), how do I prevent returning this data? (For example, if a user could view other users' profile data.)
Options
Using Firebase security rules: problem with this option is that there are ton of errors thrown when trying to retrieve the user object (even though I only want to "hide" sensitive child values under that user object).
Restructure my data so that public and private data are in two different paths.
Option #2 seems viable to me, but I want to check before making a major architectural overhaul that there's not an easier solution?
With respect to security rules, Firebase operations are all-or-nothing.
As a result, attempting to load all of the data at /users/<uid> will fail because your client does not have permission to read all of the data at that location, though you do have permission to read some of the data there. Similarly, writing to a location behaves the same way, and full permission is required before your operation will continue.
To handle this use case, consider restructuring your data like this:
{
"rules": {
".read": false,
".write": false,
"users": {
"$uid": {
// Users can read / write all of their own data
".write": "auth != null && auth.uid == $uid"
"public": {
// public data goes here
".read": true // Make all of this data public
},
"private": {
// private data goes here
}
}
}
}
}