I managed to use firestore in the app. Users can post a blog which will be updated in real time to all the users. I want to restrict users to post only one blog from their account. How can I make this possible? How can I restrict users from posting multiple posts?
You could use Firestore Rules
service cloud.firestore {
match /databases/{database}/documents {
match /blogs/{blogId} {
allow create:
if request.auth.uid == resource.data.userAuthId &&
request.resource.data.authorNumOfBlogs == 0
allow update, delete:
if request.auth.uid == resource.data.userAuthId
}
}
}
This will only allow the user to create a blog if the request matches the current users id and if that user only has one blog post.
Be sure to make a field authorNumOfBlogs in your /blogs collection and increment/decrement it accordingly when the user creates/deletes a blog post. Also, add a userAuthId field in your /users collection if you are not already keeping track of the user's uid in firestore.
Before uploading the post You can query the collection to see if already exists a post from that user.
If exists, You don't upload the post.
For this You need to save the uid of the user that create the document inside every post.
Related
I have an image link that I want to protect for only authorize users but the issue whenever I try to get the link I can see the picture, even if I specify the rule for it ?
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /profiles/{userId}/{image} {
// Read from storage !!
allow get : if request.auth != null // Authorized users only
}
}
}
If you're referring to download URLs, those are not at all controlled by security rules or any form of authentication. Anyone who has the link can view the content. That behavior can't be changed.
I want to allow every User, even if he is not logged in, to read the datas of my database. But I want that only Users which are logged in and are "marked as a admin" can override this data...
Is there a way to do this? And is there a way to mark some Users as admin?
Btw I want to use swift if this is possible
For allowing only admins to edit, you will first have to give each user an 'admin' field in their user doc, which will only be set to True for Admins, then set the rules:
match /{document=**} {
allow read: if true;
allow write: if request.auth != null && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true
}
If you'd like some more help with documentation, Firestore has some nifty examples here: https://firebase.google.com/docs/firestore/security/rules-conditions
i'll publish my app on Google Play Store but in test phases (Alpha Version), i was using this rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// This rule allows anyone on the internet to view, edit, and delete
// all data in your Firestore database. It is useful for getting
// started, but it is configured to expire after 30 days because it
// leaves your app open to attackers. At that time, all client
// requests to your Firestore database will be denied.
//
// Make sure to write security rules for your app before that time, or else
// your app will lose access to your Firestore database
match /{document=**} {
// allow read, write: if request.time < timestamp.date(2020, 3, 25);
allow read, write: if request.auth.uid != null;
}
}
}
But, when the app must be published to public i can't know the best path or the best rules that my app must have.
My app have a login screen and after login screen each user have your respectives documents and collections in your document generated from sign up.
I can't got think on a form to protect my app of invasors.
I was playing with facebook graph api, where I wanted to get the posts by me and it's related comments.
I get all posts of using me/posts/ and the id of each post is appended with the user-id i.e if my user-id is 1234 then the list of post would be like (JSON):
{
id:1234_50
}
{
id:1234_51
}
{
id:1234_53
}
And now if I copy the post-id and paste it to facebook.com/1234_53 then it redirects me to that post. Ok that's fine, facebook identifies that the left part of _ is user-id and right is post-id.
But when I dive some more deeper and query the api for the comments of posts using <post-id>/comments, it returns me the metadata for comments. Again each comment has a unique id. Suppose post 53 has a comment having id= 777. So the JSON returned for that is id:53_777. Now when I append this to facebook.com/53_777, this time api identify the left part of _ as the post id and the right part as the comment id.
I am curious to know how api working differently in above scenarios?
NOTE: I am thinking all this in an RDBMS perspective where user, posts and comments must be having separate tables
you can use :
me/posts/?fields=comments{id}
I am trying out the new Facebook Messenger Platform and have hit a bit of a problem.
When a user first chats with my Bot, I want to use the sender.id to lookup the user in my DB and verify whether they're a customer or not and offer a more tailored UX.
User's sign up to my service using Facebook Login, but unfortunately it appears my App's Facebook ID & my Bot's Facebook ID are different due to IDs being limited to App-scopes.
Is there any way associate the 2 IDs to allow me to find a user in my DB?
UPDATE (4/20/2016):
We got around this by asking users on first contact via messenger to click a link to login to their account so we could associate their messenger_id with their account in our DB.
Would be awesome if facebook instead included PAGE_SCOPED IDs in the ids_for_business endpoint.
UPDATE: (6/1/2016):
Facebook's latest update includes a new "Account Linking" functionality that appears to solve this issue. See https://developers.facebook.com/docs/messenger-platform/account-linking
Facebook's latest update includes a new "Account Linking" functionality that appears to solve this issue. See https://developers.facebook.com/docs/messenger-platform/account-linking
Unfortunately, there's no way of doing that currently. Asking them to login for new threads is the best way of linking accounts.
Yes. You can get details like first name, last name, profile pic url, locale, timezone, gender from an api. Only you have to pass is their recipient id/sender id and acccess_token of your messenger bot.
https://graph.facebook.com/v2.6/USER_ID?fields=first_name,last_name,profile_pic,locale,timezone,gender&access_token=TOKEN
I solved it different way but it works perfectly by graph API,i read mailbox of my page so that when any one can interact by messenger bot than i read pages inbox and iterate through,
Step 1:
Do a HTTP get request by graph API ,
you want a PAGE_UNIQUE_ID from Graph API ,
GET REQUEST
https://graph.facebook.com/v2.6/<PAGE_UNIQUE_ID>?fields=conversations.limit(10){participants,updated_time,id}&access_token=<PAGE_ACCESS_TOKEN>
PAGE_UNIQUE_ID Hints:
Go ===> https://developers.facebook.com/tools/explorer/ ==> Press "Get Token" ===> Select your desired page ===>Finally Submit , You show a id on output that is PAGE_UNIQUE_ID in here.
Check on browser for resoponse.
Step 2:
After doing above http request ,you get a JSON object that will show latest 10 conversation of pages where desired facebook id included.
Step 3:
Do iteration through by user full name or you can use lodash or underscore at your choice,
getUserID(response,'Zahid Rahman')
function getUserID(response, fullname) {
if (response && response.conversations && response.conversations.data) { //Check response is correct
var conversations = response.conversations.data; //Get all conversations
for (var j = 0; j < conversations.length; j++) {
var conversationsParticipants = conversations[j].participants.data;
for (var k = 0; k < conversationsParticipants.length; k++) { //Get all particiapnts of a single conversation.
var conversationsParticipantsEach = conversationsParticipants[k];
if (conversationsParticipantsEach.name === fullname) { //Check fullname match or not
console.log("Desired Facebook User ID : " + conversationsParticipants[k].id);
return conversationsParticipants[k].id;
}
}
}
}
}
Hope it will help you.
This is probably what you want: https://developers.facebook.com/docs/apps/for-business
It allows you to get all of the app-scoped user ids on a per-business basis.