Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patch allowed on targaryen, not on firebase #134

Closed
SamyPesse opened this issue Oct 21, 2017 · 2 comments
Closed

Patch allowed on targaryen, not on firebase #134

SamyPesse opened this issue Oct 21, 2017 · 2 comments
Milestone
3.0.4

Comments

@SamyPesse
Copy link

Targaryen is allowing patch that should be rejected.

The following patch is invalid because a key -KwzSBcjqM_ydHz6415J is forgotten after the invites/:

{ 'orgs/org1/invites/':
       { uid: '-KwzSBcjqM_ydHz6415J',
         role: 'admin',
         createdAt: 1508598138982 } }

The Firebase rules are:

        ....
        "invites": {
          "$key2": {
            ".validate": "newData.hasChildren(['uid', 'role', 'createdAt']) && $key2 == newData.child('uid').val()",
            "uid": {
              ".validate": "newData.isString()"
            },
            "role": {
              ".validate": "newData.isString() && (newData.val() == 'reader' || newData.val() == 'writer' || newData.val() == 'reviewer' || newData.val() == 'admin')"
            },
            "createdAt": {
              ".validate": "newData.isNumber()"
            },
            "$other": {
              ".validate": "false"
            },
            ".read": "true"
          },
          ".validate": "newData.hasChildren() && newData.parent().parent().parent().child('orgs').child($orgID).child('infos').val() != null",
          ".read": "root.child('orgs').child($orgID).child('members').child(auth.uid).child('role').val() == 'admin'",
          ".write": "newData.parent().parent().parent().child('orgs').child($orgID).child('members').child(auth.uid).child('role').val() == 'admin'"
        }
       ....

The update is accepted on Targaryen (log of data.update('/', update):

Result {
      path: '/',
      auth: { uid: 'user3' },
      type: 'patch',
      permitted: true,
      validated: true,
      database:
       Database { ... },
      newDatabase:
       Database { ... },
      newValue:
       { 'orgs/org1/invites/':
          { uid: '-KwzSBcjqM_ydHz6415J',
            role: 'admin',
            createdAt: 1508598138982 } } }

But on Firebase, the patch is rejected (as it should):

screen shot 2017-10-21 at 17 05 55
@dinoboff
Copy link
Collaborator

I can reproduce it, and the problem seems to be with the trailing slash.

dinoboff added a commit to dinoboff/targaryen that referenced this issue Oct 21, 2017
@dinoboff
fix: handle update operation with trailing slashes
f98d2e4 
fixes issue goldibex#134
@dinoboff dinoboff mentioned this issue Oct 21, 2017
Merged
@dinoboff dinoboff added this to the 3.0.4 milestone Oct 21, 2017
@dinoboff
Copy link
Collaborator

@SamyPesse Should be fixed in v3.0.4.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.0.4
Development

No branches or pull requests
2 participants
@dinoboff @SamyPesse