Closed
Description
Targaryen is allowing patch that should be rejected.
The following patch is invalid because a key -KwzSBcjqM_ydHz6415J is forgotten after the invites/:
{ 'orgs/org1/invites/':
{ uid: '-KwzSBcjqM_ydHz6415J',
role: 'admin',
createdAt: 1508598138982 } }The Firebase rules are:
....
"invites": {
"$key2": {
".validate": "newData.hasChildren(['uid', 'role', 'createdAt']) && $key2 == newData.child('uid').val()",
"uid": {
".validate": "newData.isString()"
},
"role": {
".validate": "newData.isString() && (newData.val() == 'reader' || newData.val() == 'writer' || newData.val() == 'reviewer' || newData.val() == 'admin')"
},
"createdAt": {
".validate": "newData.isNumber()"
},
"$other": {
".validate": "false"
},
".read": "true"
},
".validate": "newData.hasChildren() && newData.parent().parent().parent().child('orgs').child($orgID).child('infos').val() != null",
".read": "root.child('orgs').child($orgID).child('members').child(auth.uid).child('role').val() == 'admin'",
".write": "newData.parent().parent().parent().child('orgs').child($orgID).child('members').child(auth.uid).child('role').val() == 'admin'"
}
....
The update is accepted on Targaryen (log of data.update('/', update):
Result {
path: '/',
auth: { uid: 'user3' },
type: 'patch',
permitted: true,
validated: true,
database:
Database { ... },
newDatabase:
Database { ... },
newValue:
{ 'orgs/org1/invites/':
{ uid: '-KwzSBcjqM_ydHz6415J',
role: 'admin',
createdAt: 1508598138982 } } }
But on Firebase, the patch is rejected (as it should):
Metadata
Metadata
Assignees
Labels
No labels