1
00:00:04,930 --> 00:00:08,240
Everyone welcome back Johnny be here with this laptop.

2
00:00:08,440 --> 00:00:13,120
And in this lesson we are going to work on our security rules and we're going to take a look at some

3
00:00:13,120 --> 00:00:19,540
more advanced things that you can do with them and really fine tune in lock down some of our paths.

4
00:00:19,540 --> 00:00:19,770
All right.

5
00:00:19,780 --> 00:00:27,100
So this is where we left off in the last video we are able to now edit comments and delete them so we

6
00:00:27,100 --> 00:00:28,090
can edit and police.

7
00:00:28,090 --> 00:00:29,620
That's pretty cool.

8
00:00:29,690 --> 00:00:35,470
But just take a look at our security rules because there's some things that we should change up here.

9
00:00:35,520 --> 00:00:40,150
So I want to jump into our firebase dashboard here in our database tab here and we're going to take

10
00:00:40,150 --> 00:00:41,590
a look at our rules.

11
00:00:41,970 --> 00:00:44,830
And in the last course I want to fix something real quick.

12
00:00:44,830 --> 00:00:47,470
I put off that I.D..

13
00:00:47,650 --> 00:00:49,520
This should be off you I.D..

14
00:00:49,640 --> 00:00:55,180
All right I want to publish that and just get that out of the way and let's talk a little bit about

15
00:00:55,180 --> 00:00:58,500
what we want to work on here what we're going to fine tune.

16
00:00:58,720 --> 00:01:09,400
So right now when we are in our app we are saying here that anyone as long as they are logged in they

17
00:01:09,400 --> 00:01:18,810
can modify and create and delete any document from the thoughts collection and down.

18
00:01:18,880 --> 00:01:27,100
What that means is that if someone had the document path to any of your thoughts or comments they could

19
00:01:27,100 --> 00:01:33,280
potentially update them or delete them or you know whatever it is that they wanted to do.

20
00:01:33,490 --> 00:01:37,330
So let's go ahead and we're going to we're going to try and lock this down a little bit tighter.

21
00:01:37,570 --> 00:01:43,810
So first thing we're going to do is we are going to get rid of this recursive wildcard so that now this

22
00:01:43,960 --> 00:01:48,320
these rules here only apply to the documents in the thoughts collection.

23
00:01:48,610 --> 00:01:52,840
And what we're going to do is we're going to leave the thoughts collection alone for now because we

24
00:01:52,840 --> 00:01:54,460
haven't done anything there yet.

25
00:01:54,460 --> 00:02:00,120
We've been working primarily in the comments collection being able to delete and edit them.

26
00:02:00,160 --> 00:02:04,770
So let's go and create a new match here with the same match.

27
00:02:04,780 --> 00:02:11,530
And remember that if you continue a match from inside of a match you can just continue on the path.

28
00:02:11,530 --> 00:02:13,250
So we've gone from thoughts and thoughts.

29
00:02:13,270 --> 00:02:19,350
So this is going to continue at the comments and wildcard comment.

30
00:02:19,680 --> 00:02:20,800
OK.

31
00:02:21,450 --> 00:02:28,700
And now the rules that we write here will only apply to the common collection and the documents inside

32
00:02:28,700 --> 00:02:30,400
of that collection.

33
00:02:30,400 --> 00:02:32,660
So what do we want to have happen.

34
00:02:32,700 --> 00:02:37,780
I don't think that anyone that is logged in can read the comments meaning that we can still display

35
00:02:37,780 --> 00:02:38,440
them.

36
00:02:38,470 --> 00:02:47,490
So we're going to do that first one to say allow or read if the request thought often is not equal to

37
00:02:47,500 --> 00:02:47,750
no.

38
00:02:47,770 --> 00:02:51,810
So if someone is logged in then they can read the comments.

39
00:02:51,820 --> 00:02:56,850
Now what you've seen up till now is right and create.

40
00:02:56,920 --> 00:03:02,510
So right is the catch all inside of that we have create update and delete.

41
00:03:02,740 --> 00:03:04,980
So we're going to handle each of those cases separately.

42
00:03:05,070 --> 00:03:05,480
OK.

43
00:03:05,620 --> 00:03:09,370
So anyone should be able to create a comment right.

44
00:03:09,550 --> 00:03:10,480
As long as they're logged in.

45
00:03:10,480 --> 00:03:18,520
So again we're going to say allow create if the request thought off does not equal the whole.

46
00:03:19,120 --> 00:03:24,550
And I could have put this right here on the same line with the read but I wanted to just show you how

47
00:03:24,550 --> 00:03:29,230
you can break these out into their individual read and write components.

48
00:03:29,230 --> 00:03:32,310
And now Next up we have we're going to do we can do that delete.

49
00:03:32,350 --> 00:03:32,800
OK.

50
00:03:32,950 --> 00:03:37,810
So who can delete a document a comment in this case.

51
00:03:37,810 --> 00:03:43,510
Well we wanted to make it so that the only person that can delete a comment is the person that actually

52
00:03:43,510 --> 00:03:44,620
made the comment.

53
00:03:44,860 --> 00:03:54,060
So to do that we are going to compare the request ID and compare that with the the resources document

54
00:03:54,100 --> 00:04:00,490
data where we have stored the user id and that's why we did that whole process in the beginning of the

55
00:04:00,490 --> 00:04:01,050
Course.

56
00:04:01,170 --> 00:04:06,390
To add to the user id both the thought and comment documents.

57
00:04:06,520 --> 00:04:06,810
OK.

58
00:04:06,820 --> 00:04:21,070
So how we do that is we say allow them to if the request off dot UAD is equal to.

59
00:04:21,280 --> 00:04:25,370
And then we have the resource that data.

60
00:04:26,050 --> 00:04:27,600
User ID.

61
00:04:27,900 --> 00:04:30,480
OK let's talk about this real quick.

62
00:04:30,520 --> 00:04:35,480
So the request has two pieces of information the off.

63
00:04:35,590 --> 00:04:37,900
And then a resource.

64
00:04:38,110 --> 00:04:38,680
OK.

65
00:04:38,920 --> 00:04:47,200
And so you can kind of think of it as coming and receiving so the request is coming from our app and

66
00:04:47,200 --> 00:04:51,090
it's going to the fire store database resource here.

67
00:04:51,100 --> 00:04:53,930
This is what's already in the database.

68
00:04:53,950 --> 00:05:01,180
So what we're doing is we are comparing the the authorization information in the requests that's coming

69
00:05:01,180 --> 00:05:06,430
to the fire store and we're looking that and worse we're finding the idea the unique identifier of the

70
00:05:06,430 --> 00:05:12,310
person making the request and we're comparing that with what is already in the fire store database in

71
00:05:12,310 --> 00:05:14,440
this case a comment document.

72
00:05:14,560 --> 00:05:17,080
And we're looking at the data inside of it.

73
00:05:17,110 --> 00:05:24,400
And we're finding the user id field and we're comparing that value to the ID that is coming from the

74
00:05:24,400 --> 00:05:28,460
request and only if those are equivalent if those are equal.

75
00:05:28,570 --> 00:05:31,320
Will we allow that person to delete it.

76
00:05:31,330 --> 00:05:37,180
All right so let's go ahead and well you know what let's go ahead and see what it looks like when you

77
00:05:37,270 --> 00:05:38,690
when we don't allow this.

78
00:05:38,690 --> 00:05:38,950
All right.

79
00:05:38,960 --> 00:05:40,440
I'm going to comment this out actually.

80
00:05:40,570 --> 00:05:45,040
We're going to publish this and we're going to try and do it delete and then I want you to be able to

81
00:05:45,040 --> 00:05:51,820
see the error of that X code or that firestorm throws us up letting us know that hey something's not

82
00:05:51,820 --> 00:05:54,060
quite right with your security rules.

83
00:05:54,070 --> 00:05:59,430
I want to jump back into ex-coach here and actually we just need our simulator.

84
00:06:00,070 --> 00:06:04,210
And I think it's been long enough for that rule to propagate.

85
00:06:04,260 --> 00:06:07,730
So I'm going to go ahead and delete this comment right here.

86
00:06:08,050 --> 00:06:11,690
If you if you are logged in you can create a comment and delete it.

87
00:06:11,700 --> 00:06:15,930
Some would say delete comment and let's see here.

88
00:06:15,940 --> 00:06:18,190
Yep sure enough it did not delete.

89
00:06:18,220 --> 00:06:25,340
First off but if we come into here in X code you'll see here we have transaction failed.

90
00:06:25,360 --> 00:06:30,660
And it says let's see here missing or insufficient permissions.

91
00:06:30,820 --> 00:06:36,340
All right so that is telling you that you're trying to do something but is because of your security

92
00:06:36,340 --> 00:06:38,310
rules that you are not able to.

93
00:06:38,310 --> 00:06:41,290
You don't have the correct permissions set.

94
00:06:41,380 --> 00:06:46,600
All right so that is what happens when when you don't have the right the correct the security rules

95
00:06:46,600 --> 00:06:48,100
set.

96
00:06:48,100 --> 00:06:51,310
Or if someone is trying to do something that they shouldn't be doing.

97
00:06:51,310 --> 00:07:00,280
All right so now if we publish this and wait just a couple of seconds here we'll we'll try that again

98
00:07:00,310 --> 00:07:02,930
and see if we can delete them.

99
00:07:02,950 --> 00:07:03,250
All right.

100
00:07:03,250 --> 00:07:07,890
So I've waited a few seconds so it's good to try and delete this now.

101
00:07:08,410 --> 00:07:09,490
And there it goes.

102
00:07:09,490 --> 00:07:13,580
All right so now we know that our delete is working.

103
00:07:13,600 --> 00:07:15,440
So how about that update.

104
00:07:15,670 --> 00:07:21,970
So we tried to update something here has created a new comment real quick and I'm going to try to edit

105
00:07:21,970 --> 00:07:22,920
it.

106
00:07:23,920 --> 00:07:31,150
And I'm just going to put something different and say update and that is not going to work and X code

107
00:07:31,150 --> 00:07:35,490
should give us a yet unable to update comment missing or insufficient permissions.

108
00:07:35,650 --> 00:07:39,130
All right so now we need to add the rules for updating.

109
00:07:39,140 --> 00:07:45,720
When you say allow update and the first part is going to be the same as the above we're going to say

110
00:07:45,720 --> 00:07:53,170
if request that your ID is equal to the resource that data user ID.

111
00:07:53,530 --> 00:07:59,500
So if the person that created the comment is the same person that is trying to edit the comment then

112
00:07:59,500 --> 00:08:00,480
they can go ahead.

113
00:08:00,770 --> 00:08:06,760
But and this is just to kind of show you some of the stuff that you can do what you can do is you can

114
00:08:06,760 --> 00:08:09,430
also add other conditionals.

115
00:08:09,520 --> 00:08:15,010
So we're going to see if the if it's the person that owns the comment but also we want to make sure

116
00:08:15,010 --> 00:08:20,320
that they're not trying to change other things like the user name or if you wanted to make sure that

117
00:08:20,460 --> 00:08:25,820
the time stamp stays the same whatever it is I'm going to make sure that the username stays the same.

118
00:08:25,990 --> 00:08:29,820
So we can do that by saying request that resource.

119
00:08:30,070 --> 00:08:35,500
So I had kind of talked a little bit about how requests have the authorization information as well as

120
00:08:35,920 --> 00:08:39,870
the resource information that is being sent up to five store.

121
00:08:40,000 --> 00:08:43,300
So this resource information this contains everything.

122
00:08:43,340 --> 00:08:44,640
And let's see here.

123
00:08:44,650 --> 00:08:49,640
This is in comments the sea I believe.

124
00:08:50,050 --> 00:08:54,610
So for instance and when we created common we sent up the common text time stamp user name and user

125
00:08:54,610 --> 00:08:55,570
ID.

126
00:08:55,570 --> 00:08:58,260
So we have access to that here as well.

127
00:08:58,360 --> 00:09:07,270
So we're going to say data that user name is equal to the resource that is currently in fire store data

128
00:09:07,270 --> 00:09:08,710
data user name.

129
00:09:08,980 --> 00:09:15,160
So if those two aren't the same if the if the user name information doesn't match then then they won't

130
00:09:15,160 --> 00:09:16,920
be able to update.

131
00:09:16,930 --> 00:09:18,880
All right so I think that's about it.

132
00:09:18,880 --> 00:09:23,600
I'm going to publish this and we'll wait a few seconds and we will try this again.

133
00:09:24,350 --> 00:09:27,790
Oh I see a typo here that should be the source.

134
00:09:27,830 --> 00:09:31,720
And there we go and publish that and we'll give that another try.

135
00:09:32,190 --> 00:09:36,780
I'm back in the simulator going to try editing this comment here.

136
00:09:37,420 --> 00:09:39,980
It is the update.

137
00:09:40,160 --> 00:09:41,970
And there it's working.

138
00:09:42,310 --> 00:09:43,590
All right so very nice.

139
00:09:43,630 --> 00:09:46,920
I'm going to try and delete this make sure that's still working as well.

140
00:09:46,930 --> 00:09:48,580
So leave a comment on that.

141
00:09:48,610 --> 00:09:49,540
Looking good.

142
00:09:49,780 --> 00:09:59,370
We can create Common's it so I think we got our comments collection and documents locked down and fine

143
00:09:59,400 --> 00:10:01,380
tuned in a pretty good way.

144
00:10:01,380 --> 00:10:02,080
All right.

145
00:10:02,550 --> 00:10:12,180
So just to recap here we allow read and create if the user is logged in we allow deleting if the user

146
00:10:12,180 --> 00:10:21,660
id in the request matches the resources user ID and we allow updating if the requestors ID matches the

147
00:10:21,660 --> 00:10:30,450
resources user ID as well as saying that the incoming user name matches the existing resources user

148
00:10:30,450 --> 00:10:31,750
name as well.

149
00:10:31,830 --> 00:10:37,500
So thats just a little peek into some of the more advanced Firestar security rules that we can that

150
00:10:37,500 --> 00:10:42,900
we can do and we're going to be doing a little bit more advanced stuff here a little bit later when

151
00:10:42,900 --> 00:10:46,410
we when we look at the thoughts comments as well.

152
00:10:46,410 --> 00:10:46,690
All right.

153
00:10:46,690 --> 00:10:49,570
So we're looking forward to that and we'll see you in the next one.