1
00:00:05,320 --> 00:00:07,150
Everyone welcome back to class.

2
00:00:07,150 --> 00:00:09,510
Johnny be here with slopes dot com.

3
00:00:09,580 --> 00:00:14,290
And in this lesson we are going to take a look at our security rules for our thoughts.

4
00:00:14,320 --> 00:00:15,390
So a couple of lessons go.

5
00:00:15,430 --> 00:00:21,850
We did some some advanced security rules for our comments and now we're going to take a look at our

6
00:00:21,850 --> 00:00:22,960
thoughts as well.

7
00:00:22,960 --> 00:00:28,440
All right so right now we have it so that anyone as long as they are logged in can read and write thoughts.

8
00:00:28,530 --> 00:00:32,230
But just like our comments now that we are able to delete.

9
00:00:32,230 --> 00:00:39,150
We want to make it so that only people that own the comments can actually do the deleting.

10
00:00:39,160 --> 00:00:47,110
So we're going to do is we're going to learn to make it so that anyone can read the thoughts just like

11
00:00:47,110 --> 00:00:50,300
our comments but as well as create.

12
00:00:50,350 --> 00:00:55,280
So here when I say allow read and create as long as you're logged in.

13
00:00:55,810 --> 00:00:59,340
And right now since we're not updating we're not doing anything special with the updating I mean I'll

14
00:00:59,350 --> 00:01:00,020
leave that for you.

15
00:01:00,070 --> 00:01:02,330
It has a challenge in the next lesson.

16
00:01:02,350 --> 00:01:04,540
I'm also going to say update here.

17
00:01:04,780 --> 00:01:12,580
But for deleting we only want the people who own the thought to be able to delete that thought.

18
00:01:12,850 --> 00:01:24,310
So we're going to say allow delete if we're going to say request that you write the equal to the resource

19
00:01:24,310 --> 00:01:27,780
that data that user ID.

20
00:01:27,910 --> 00:01:30,030
And again like we were talking about a couple of lessons ago.

21
00:01:30,280 --> 00:01:37,870
All this is doing is comparing the identity of the person making the request with the stored user ID

22
00:01:37,930 --> 00:01:41,960
that is inside of the data for the stored resource and firer store.

23
00:01:41,980 --> 00:01:48,010
And if they match then they are allowed to perform whichever action is being specified here.

24
00:01:48,010 --> 00:01:49,390
In this case delete.

25
00:01:49,750 --> 00:01:53,520
So I'm going to publish this and looks like we got an error here as he was.

26
00:01:53,560 --> 00:01:55,380
Let's see what's wrong.

27
00:01:56,170 --> 00:02:03,570
Oh I have my if and my colon mixed up so should be allow delete colon if requests.

28
00:02:03,560 --> 00:02:11,350
There go and then publish that and well wait a couple of seconds and come back when when when this is

29
00:02:11,350 --> 00:02:12,470
available.

30
00:02:13,060 --> 00:02:15,550
All right so to test this out.

31
00:02:15,580 --> 00:02:21,380
Let's jump back into X code and let's run this.

32
00:02:21,420 --> 00:02:26,940
All right so let's create a new comment or a new thought and post it.

33
00:02:27,700 --> 00:02:41,170
And let's add some comments comment one at Comment two and added And let's make sure that we can still

34
00:02:41,560 --> 00:02:43,980
delete it.

35
00:02:44,020 --> 00:02:45,890
All right so we are still able to delete.

36
00:02:46,090 --> 00:02:49,960
So our security rules seem to be working pretty good.

37
00:02:50,180 --> 00:02:53,230
But let me let me show you something here.

38
00:02:53,350 --> 00:02:56,320
We are going to run this on a second simulator.

39
00:02:56,360 --> 00:02:59,740
Now I want to run this.

40
00:02:59,740 --> 00:02:59,980
All right.

41
00:02:59,980 --> 00:03:03,130
So we currently have this running on two simulators.

42
00:03:03,130 --> 00:03:05,730
They are both logged in under the same account right now.

43
00:03:05,740 --> 00:03:15,600
But I'm going to log out and create a new user and we'll call this one B and B looks b and b dot com

44
00:03:15,610 --> 00:03:19,550
password is 1 2 3 4 5 6 years a name is Bella.

45
00:03:19,840 --> 00:03:29,120
And then I create this user and then log in and be calm and 1 2 3 4 5 6 and loggin.

46
00:03:29,160 --> 00:03:29,490
All right.

47
00:03:29,500 --> 00:03:38,080
And I'm going to create a thought under Bela's account so Bello's thoughts post this and I'm going to

48
00:03:38,080 --> 00:03:47,320
create one comment from Bellah comment from Bella I want to add that and then I'm going to add a thought

49
00:03:47,320 --> 00:03:55,530
from her comment comment from J.B. And we haven't done this before.

50
00:03:55,600 --> 00:04:01,360
So this is actually pretty cool being able to see the two stimulators side by side and how how they

51
00:04:01,360 --> 00:04:06,370
work together you know when we add a comment over here it automatically shows up over here.

52
00:04:06,460 --> 00:04:11,980
You can see that in Bela's logged in account she is able to edit and delete comments from her account

53
00:04:12,010 --> 00:04:13,140
but not jeebies.

54
00:04:13,180 --> 00:04:17,950
And over in Jabe's account we're able to edit and delete jobbies comments by Belus.

55
00:04:17,950 --> 00:04:19,330
That's pretty cool.

56
00:04:19,330 --> 00:04:19,560
All right.

57
00:04:19,560 --> 00:04:25,500
So let's come back to our main screen here and now Bella is going to try and delete her thought.

58
00:04:25,600 --> 00:04:26,220
OK.

59
00:04:26,590 --> 00:04:34,420
So she deleted but oh we get an error here it says could not delete subcollection missing or insufficient

60
00:04:34,420 --> 00:04:35,770
permissions.

61
00:04:35,770 --> 00:04:37,300
So what's going on here.

62
00:04:37,300 --> 00:04:45,370
You know Bella she has she has access to be able to delete her thought because we said that right here

63
00:04:45,370 --> 00:04:46,330
right.

64
00:04:46,360 --> 00:04:54,610
Delete if hand her you I.D. matches the resource ID of the of the thought but inside of this thought

65
00:04:55,090 --> 00:04:58,570
there is a comment from J.B..

66
00:04:58,900 --> 00:05:08,390
And if we take a look at our comments rules we only allow deleting if the users if the requestors I.D.

67
00:05:08,420 --> 00:05:11,850
matches the resources data user ID.

68
00:05:11,930 --> 00:05:20,360
And in this case Bela's user ID does not match the resource user ID for Jabe's comment.

69
00:05:20,370 --> 00:05:26,360
All right so this is a problem because now we have this kind of a catch 22 where Abella wants to delete

70
00:05:26,360 --> 00:05:27,080
her thought.

71
00:05:27,290 --> 00:05:30,360
But G-B has a comment under there.

72
00:05:30,710 --> 00:05:35,930
And Bella can delete Jabe's comment and so we're going to have to do is kind of make an executive decision

73
00:05:35,930 --> 00:05:43,280
here and say well a user should be able to delete a thought and any comments associated with it if they

74
00:05:43,280 --> 00:05:44,520
so desire.

75
00:05:44,570 --> 00:05:47,480
And thats just a decision that we as the app owner are making.

76
00:05:47,510 --> 00:05:52,140
You might handle it differently if you wanted but that's how we're going to do it.

77
00:05:52,160 --> 00:05:59,480
And so what we're going to do is we're going to say we can delete a comment if the owner of the comment

78
00:05:59,480 --> 00:06:05,630
is trying to delete it or if the owner of the thought that the common belongs to is trying to delete

79
00:06:05,630 --> 00:06:06,120
it.

80
00:06:06,170 --> 00:06:12,320
So to do that we're going to use an OR statement here which is done with two pipes going to move this

81
00:06:12,320 --> 00:06:13,830
over here.

82
00:06:14,360 --> 00:06:21,500
And what we're going to do is we're going to say we're going to compare the user id of the thought document

83
00:06:21,770 --> 00:06:26,820
with the user id of the of the person making the request.

84
00:06:26,840 --> 00:06:34,770
All right so we're going to say if the request got off that you ID is equal to.

85
00:06:35,000 --> 00:06:40,680
And then we need a way to get the user id of the thought document.

86
00:06:40,700 --> 00:06:41,050
All right.

87
00:06:41,090 --> 00:06:53,300
And we have access to the requestors off information the requestors resource data as well as the resource

88
00:06:53,300 --> 00:06:57,660
data of the document being accessed.

89
00:06:57,760 --> 00:07:05,990
But we don't automatically have access to the information of a different document elsewhere to do that

90
00:07:05,990 --> 00:07:10,130
we need to use a what's called a get and that is written like this.

91
00:07:10,130 --> 00:07:15,890
We say get and then we have a parentheses and then what we need to do is we need to provide the full

92
00:07:15,890 --> 00:07:19,630
path to to the document that we want to get.

93
00:07:19,910 --> 00:07:25,150
And that actually includes this very top level path here.

94
00:07:25,160 --> 00:07:33,220
So what we do is we say slash data bases slash and then this part's a little bit different when you're

95
00:07:33,230 --> 00:07:35,040
using like actual documents.

96
00:07:35,180 --> 00:07:38,990
We use a dollar sign and then parentheses.

97
00:07:39,020 --> 00:07:41,210
And so this is database.

98
00:07:41,720 --> 00:07:47,240
And then another slash for the documents and then another slash.

99
00:07:47,240 --> 00:07:52,050
All right so this right here is equivalent to this right here.

100
00:07:52,160 --> 00:07:52,670
OK.

101
00:07:52,850 --> 00:07:58,800
So anywhere you that you see the wildcard database or the wild card and a document.

102
00:07:58,800 --> 00:08:00,230
Same thing is right here.

103
00:08:00,230 --> 00:08:06,260
That will then be a dollar sign and parentheses and then the the notation for it.

104
00:08:06,470 --> 00:08:13,160
All right so then we come down to our thoughts level here and we're going to say thoughts collection

105
00:08:13,820 --> 00:08:24,020
and then our dollar sign and our parentheses and thought and this is our path to our thought that we

106
00:08:24,230 --> 00:08:25,580
need to access.

107
00:08:25,580 --> 00:08:25,990
Okay.

108
00:08:26,150 --> 00:08:32,260
And so this whole get right here will kind of be the same as like this resource can.

109
00:08:32,390 --> 00:08:36,570
So it's getting the resource at a for a document at a specific path.

110
00:08:36,650 --> 00:08:45,570
Then we can say that the data that user ID and put a space right here.

111
00:08:46,460 --> 00:08:48,620
And let's just look at this one more time.

112
00:08:48,740 --> 00:08:54,700
We are comparing the requestors UAD with the resource data of the thought.

113
00:08:54,710 --> 00:08:59,750
But since we don't have direct access to it right now we go and get it and we do that by saying get

114
00:09:00,110 --> 00:09:06,930
and providing the full path including the highest level path right here.

115
00:09:07,280 --> 00:09:15,180
And then the thoughts collection and then the thought itself and then calling the data that user ID.

116
00:09:15,290 --> 00:09:19,550
So let's go ahead and publish this and see if it's working now.

117
00:09:20,360 --> 00:09:21,560
So it's been a couple of minutes.

118
00:09:21,560 --> 00:09:23,470
Let's go and try this one more time.

119
00:09:23,540 --> 00:09:28,080
I'm going to click on Bela's thought and try to delete it.

120
00:09:28,560 --> 00:09:31,250
And there it goes.

121
00:09:31,250 --> 00:09:40,160
All right so now that we have successfully modified our security rules to allow the deletion of a comment

122
00:09:40,400 --> 00:09:48,050
if the or if the requester owns the comment or if the requester owns the thought that the common belongs

123
00:09:48,050 --> 00:09:48,690
to.

124
00:09:48,980 --> 00:09:54,800
All right so you know we've got some pretty complicated and thorough security rules that we've written

125
00:09:54,800 --> 00:09:55,540
out here.

126
00:09:55,550 --> 00:09:57,890
Like I said before there's still a lot more that you can do.

127
00:09:57,890 --> 00:10:04,020
You can do a lot of stuff with their security rules but this is probably about the level that you'll

128
00:10:04,110 --> 00:10:06,930
need for probably 90 percent of your apps.

129
00:10:06,960 --> 00:10:10,080
So the way to go but you guys have this under your belt now.

130
00:10:10,290 --> 00:10:16,920
And we're pretty much done with this with this course with the entire course with this app and we built

131
00:10:17,220 --> 00:10:21,450
out a pretty impressive app and using firestorm makes it so easy.

132
00:10:21,600 --> 00:10:23,380
And I love it.

133
00:10:23,490 --> 00:10:30,540
But in the next lesson I'm going to extend a couple of challenges for you all to enhance and expound

134
00:10:30,540 --> 00:10:32,170
on this app for yourselves.

135
00:10:32,170 --> 00:10:32,510
All right.

136
00:10:32,540 --> 00:10:33,620
So see you then.