Firebase is changing the user UIDs from <provider>:<number> to UUIDs (e.g. f47ac10b-58cc-4372-a567-0e02b2c3d479) starting August 17th.

See: https://groups.google.com/forum/#!topic/firebase-talk/s9mv4S46Qs0

Since existing users will keep the old format and only new users will be using UUIDs, it might be a good idea to be able to test both.

It appears that Targaryen evaluates newData as the value to be written, instead of an object with {key:value} of the data to be written (as Firebase does).

For example, if I have the collection:

/users/$uid
   - first_name
   - last_name
   - age

and I try to write "Ben" to /users/USER123/first_name and do the check: newData.val().length > 0, Targaryen will evaulate newData as "ben", while in Firebase, it will evaluate newData as {'first_name': "Ben"}, so to do the constraint, I actually need to write: newData.first_name.val().length > 0.

See #74

Given rules like this:

{
  "rules": {
    "foo": {
      "id": {
        ".validate": "newData.isString()"
      },
      "bar": {
        ".validate": "newData.isString()"
      }
    }
  }
}

Shouldn't the tryWrite pass? In a similar test I'm seeing a rejection at the level of /foo with newData.hasChildren[['id', 'bar'])

targaryen.setFirebaseData({foo: {id: 'hi', bar: 'blah'}})
root = targaryenHelpers.getFirebaseData()
rules = targaryenHelpers.getFirebaseRules()
rules.tryWrite('foo/bar', root, 'taco', ...)

Hey man, thanks for developing this.

We've been trying to use targaryan for a while now with my team.
Although it helps a lot we're encountering some issues, specially since the updates made recently.

Take a look at this for instance.

In Firebase, when you update some paths, the newData holds all the information for the current tree, not only the information that is been sent.

Like so:

When trying to do the same with targaryan:

I will try to post here when we find any other issues.
And we will gladly contribute to their solutions, it's just that we're in a crazy end of year sprint.
We're kind of being forced to "let the tests slip for a while" instead of being allowed to fix this.

Just tried to npm install on OSX El Capitan - targaryen won't run from the command line (command not found). Any tips on how to resolve?

When using targaryen as the jasmine integration, when a test is failing, the output is really verbose for complex rules.

To debug the issue, we have to look for => false in all the logs.

I tried playing with setVerbose and setDebug, but none seems to help (either we have no logs or too much logs).

I'm suggesting adding an option to log only the failing conditions (the ones returning false or throwing an error).

Hi all,

I am trying to run the following test:

...
   before(() => {
    ...
    targaryen.setFirebaseData({
      technicians: {
        'technician-admin': {
          created,
          profile,
          type: 'admin',
        }
      }
    });
  });
...
const admin = { uid: 'technician-admin', email: '[email protected]' };
...
expect(admin).cannot.write({ index: 'firebase', query: '*' }).to.path('search/request/:id');
...

against the following rules:

{
  "rules": {
    "search": {
      "request": {
        "$request": {
          ".validate": "newData.hasChildren(['index', 'type', 'query'])",
          "index": {
            ".validate": "newData.isString() && newData.val().length > 0"
          },
          "type": {
            ".validate": "newData.isString() && newData.val().length > 0"
          },
          "query": {
            ".validate": "newData.isString() && newData.val().length > 0"
          },
          "$other": {
            ".validate": "false"
          },
          ".write": "data.val() == null && (auth != null && auth.uid != null) && (newData.child('type').val() == 'item' || newData.child('type').val() == 'practice' || root.child('technicians').child(auth.uid).child('type').val() == 'admin')"
        }
      }
    }
  }
}

but it fails with the following error:

1) database user:technician:admin /search /request /:id pass:
     AssertionError: Expected a user with credentials {"uid":"technician-admin","email":"[email protected]"} not to be able to write {"index":"firebase","query":"*"} to search/request/:id, but the rules allowed the write.
/search/request/:id:.write: "data.val() == null && (auth != null && auth.uid != null) && (newData.child('type').val() == 'item' || newData.child('type').val() == 'practice' || root.child('technicians').child(auth.uid).child('type').val() == 'admin')"
    => true
Write was allowed.
      at Assertion.<anonymous> (node_modules/targaryen/lib/chai.js:84:12)
      at Assertion.ctx.(anonymous function) [as path] (node_modules/chai/lib/chai/utils/addMethod.js:41:25)
      at Context.it (test/database/rules.targaryen.js:1234:76)

This test would not have failed if ".validate": "newData.hasChildren(['index', 'type', 'query'])" would have been evaluated, it seems that targaryen didn't pickup .validate

Any help would be appreciated. We were looking for a way to test Fireabase rules locally (we ran them against a Fireabase app until now) and a few days ago we have been recommended targaryen by Mike from the Firebase support team. We have rewritten 300 tests to run on targaryen but some things we are not able to test.

Thanks in advance,
Romans

The test is breaking, but all conditions than the console show are true. I'm using chai plugin.
It's my rules json:

{
  "rules": {
    "list": {
      "$listId": {
        ".write": "(newData.parent().parent().child('otherList1').child($listId).val() == true)
        	     && (newData.parent().parent().child('otherList2').child($listId).val() == false)"
      }
    }
  }
}

And it's is test file:

const chai = require('chai');
const targaryen = require('targaryen/plugins/chai');
const { expect } = chai;
const { users } = targaryen;

chai.use(targaryen);

describe('list', function() {

  before(function() {
    targaryen.setFirebaseData({});
    targaryen.setFirebaseRules(require('../../database.rules.json'));
  });

  it('', () => {

    const updates = {
      'list/_listId1/id': '_listId1',
      'otherList1/_listId1': true,
      'otherList2/_listId1': false
    };

    expect({ uid: '_uid1' }).can.patch(updates).to.path('/');

  });

});

The console:

Hey!

Great library! I was looking for something like that, BUT ... it doesn't work well for array-like collections. Example:
lets say we have collection like that:
(We're are using bolt in our project)

type SomeAttr {
  // some mandatory property
  itemId: String
  ...
  // some optional property
  someAttrProp: String | Null
  ...
}
type Item {
  ...
  someAttrsCollection: SomeAttr[]
  ...
}

This code after compile results with rules like

...
"someAttrsCollection": {
  "$key1": {
    ".validate": "newData.hasChildren() && newData.hasChild('itemId')",
    ...
    "someAttrProp": {
      ".validate": "newData.isString()"
    }
    ...
  }
}
...

so, if we make write operation like that: /item/someAttrsCollection/0/someAttrProp, 'some value' it should be successful (and it is in real database!!!), but unit test with targaryen fails (write is denied) complaining to this rule ".validate": "newData.hasChildren() && newData.hasChild('itemId')"

I suggest we set up async tests that run against a live Firebase database. We currently have a number of known inconsistencies, and Firebase rule evaluation itself can change without notice.

Expose an API for what the CLI does, so we can write programmatic tests without Chai or Jasmine.

I've just added you as an owner to the targaryen package on npm, @dinoboff, so you can update the package now.

Hi @goldibex thanks for writing and maintaning this lib, it is awesome.

I have a small issue that I was wondering if you might be able to help me solve.

I have a validation rule

type InitialTimestamp extends Number {
  validate() { initial(this, now) }
}
// Returns true if the value is intialized to init, or if it retains it's prior value, otherwise.
initial(value, init) { value == (prior(value) == null ? init : prior(value)) }

type UserProfile {
  email: String
  signupDate: InitialTimestamp
}

The data im using for the write test is like so:

userProfile =
  email: '[email protected]'
  splitType: 'auto'
  signupDate: { ".sv": "timestamp" }

expect(uid:userUID).can.write({userProfile}).to.path userProfilePath + "/#{userUID}"

When inforcing this inside of targaryen it seems like there is a timing issue because it rejects it.

 be able to write {"email":"[email protected]","splitType":"auto","signupDate":1463817931069} to /user/profiles/2d7fda85-6ef7-495f-a70b-2e05ccda6e9e, but the rules denied the write.
/user/profiles/2d7fda85-6ef7-495f-a70b-2e05ccda6e9e:.write: "auth != null && auth.uid == $uid"
    => true
/user/profiles/2d7fda85-6ef7-495f-a70b-2e05ccda6e9e:.validate: "newData.hasChildren(['email', 'signupDate'])"
    => true
/user/profiles/2d7fda85-6ef7-495f-a70b-2e05ccda6e9e/email:.validate: "newData.isString()"
    => true
/user/profiles/2d7fda85-6ef7-495f-a70b-2e05ccda6e9e/signupDate:.validate: "newData.isNumber() && newData.val() == (data.val() == null ? now : data.val())"
    => false
Validation failed.
Write was denied.

If I change the rule to (less than current time on server):

initial(value, init) { value <= (prior(value) == null ? init : prior(value)) }

It passes. So I can see in the source that targaryen converts { ".sv": "timestamp" } to Date.now() but I cannot find where it enforces that rule and if it is generating another time at a later point and trying to compare them.

Cheers for any help, Jake

Edit:
It must be comparing these two dates

Given the following rules:

{
  "rules": {
    ".read": "auth !== null",
    ".write": "auth !== null",
    "users": {
      "$user": {
        ".write": "auth.uid === $user"
      }
    }
  }
}

and the following data:

{
  "users": {
    "3403291b-fdc9-4995-9a54-9656241c835d": {
      "name": "User 1"
    },
    "500f6e96-92c6-4f60-ad5d-207253aee4d3": {
      "name": "User 2"
    }
  }
}

This test should pass but fails:

const user1 = { uid: '3403291b-fdc9-4995-9a54-9656241c835d' };
const user2 = { uid: '500f6e96-92c6-4f60-ad5d-207253aee4d3' };

expect(user1).can.write.to.path(`users/${user1.uid}`);
expect(user1).cannot.write.to.path(`users/${user2.uid}`);

If i remove the top-level ".write" rule, the test correctly passes as expected which leaves me to conclude that nested read/write rules may not be resolved correctly.

When the rules contain something like:

"bio": {
  ".validate": "newData.isString() && newData.val().length < 100"
}

And testing with a write with "bio": "", targaryen throws an error:

Error: newData.val().length < 100: Invalid < expression: Left and right sides types are differents.

If I test by having a non-empty string for bio, it works.

Firstly, thanks for this package, it will help me a lot in development.

I have a rule something like

     "invites": {
        "pending": {
          "$invite_id": {
            ".validate": "newData.hasChildren(['bookID', 'email', 'ownerID', 'status'])",
            ".write": "auth.uid === newData.child('ownerID').val()",
            "bookID": {
              ".validate": "newData.isString()"
            },
            "email": {
              ".validate": "newData.isString()"
            },
            "ownerID": {
              ".validate": "newData.isString()"
            },
            "status": {
              ".validate": "newData.isString()"
            },
            "$other": {
              ".validate": "false"
            }
          }
        }

When using the Firebase simulator, a write of { bookID: 'hey', email: 5, ownerID: 'simplelogin:3', status: 'hey' } (note the email field being a non-string) to invites/pending/invite_id as the simplelogin:3 user does not succeed.

However using the Targaryen test suite (using the CLI) a 'cannotWrite' fails (i.e. it does succeed, and the test fails).

  "tests": {
    "invites/pending/invite_id": {
      "cannotWrite": [
        { "auth": "John Brown", "data": { "ownerID": "simplelogin:3" } },
        { "auth": "John Brown", "data": {
            "ownerID": "simplelogin:3",
            "bookID": "hey",
            "email": 5,
            "status": "sent"
          }
        }
      ]
    }

I'm not sure if I'm doing something wrong, whether I should be using Jasmine instead because it's too complicated, or if this is an issue with the test suite. Let me know, thanks :)

Edit:

I should add that other tests succeed at this location, like cannotWrite for users which aren't simplelogin:3 and canWrite for users who are simplelogin:3.

Also, the '$other' validation doesn't seem to be recognized by the test suite either - when I add an additional field, the suite expects it to succeed even though it should fail (verified with simulator).

If I have the following rules:

{
  "rules": {
    "users": {},
    "groups": {
      "$groupId": {
        ".write": "newData.parent().parent().child('users').child(auth.uid).exists()"
      }  
    }
  }
}

The new newData.parent().parent() is not correcty pointing to the root, in my test logs I get:

newData.parent().parent() = {"path":"","exists":true}
newData.parent().parent().child('users') = {"path":"users","exists":false}

The rule is working fine using on Firebase.

Thanks!

--verbose shows only one test. Ie: I have 8 tests. Running without --verbose I get 0 failures in 8 tests, Running with --verbose I get

│ Path                                        │ Type  │ Auth    │ Expect │ Got │
├─────────────────────────────────────────────┼───────┼─────────┼────────┼─────┤
│ users/db3993ee-4e1c-412e-a19c-e6f700def9c4  │ read  │ Marcel  │ ✓      │ ✓   │```

A rule like "auth.someNonexistentProperty === null" should pass. Tested in the simulator.

I've pushed a failing test here: https://github.com/mhuebert/targaryen/blob/rule-evaluation/test/spec/lib/ruleset.js#L203

Add documentation for:

• setFirebaseData gains a now parameter: targaryen.setFirebaseData(data[, now]);.
• jasmine matchers gain an optional now parameter.
• chai plugin write and patch methods gain an optional now parameter.
• chai plugin gains a readAt(now) method.

I think this (rule,test) pair should work. It doesn't but if you delete .child('a)' from the validate rule it works. This suggests to me the evaluation of ".validate" is not aware of its logical position in relation to the written data.
{
"rules": {
".validate": "newData.child('a').val() != null",
"a": {
".read": "true",
".write": "true"
}
}

}

{
"root": {
"a": 1,
"b": 2
},
"tests": {
"a": {
"canRead": [1],
"canWrite": [{ "auth": 1, "data": { ".sv": "timestamp" } }]
}
}
}

auth and its properties, or a snapshot val calls can evaluate to any primitive types, including null. Tests should be added and fix implemented to make sure snapshot and string methods, and binary operations behave like on firebase's; e.g., root.child(auth.foo).exists() and root.child(auth.foo).exists() == false should both evaluate to false if auth or auth.foo is null.

When writing or patching a null value, the null is passed up the hierarchy which causes tests to fail when they should not.

Example:

{
  "rules": {
    "A": {
      "B": {
        "C": {
          ".read": true,
          ".write": true
        }
      }
    }
  }
}

Chai code:

1. expect().can.write({C: 1}).to.path('A/B'); - passes
2. expect().can.write({C: null}).to.path('A/B'); - fails: AssertionError: Expected an unauthenticated user to be able to write `null` to A/B, but the rules denied the write. No .write rule allowed the operation. Write was denied.
3. expect().can.patch({C: 1}).to.path('A/B'); - passes
4. expect().can.patch({C: null}).to.path('A/B'); - passes
5. expect().can.write({B: {C: 1}}).to.path('A'); - passes
6. expect().can.write({B: {C: null}}).to.path('A'); - fails: AssertionError: Expected an unauthenticated user to be able to write `null` to A, but the rules denied the write. No .write rule allowed the operation. Write was denied.
7. expect().can.patch({B: {C: 1}}).to.path('A'); - passes
8. expect().can.patch({B: {C: null}}).to.path('A'); - fails: AssertionError: Expected an unauthenticated user to be able to write `null` to A/B, but the rules denied the write. No .write rule allowed the operation. Write was denied.

".validate" rules are not respected when the auth uid has a period in it. For instance:

const targaryen = require('targaryen');
// Note that "firstSignIn" must be a number
const rules = {
  rules: {
    ".write": true,
    ".read": true,
    users: {
      '$uid': {
        activity: {
          firstSignIn: {
            '.validate': 'newData.isNumber()'
          }
        }
      }
    }
  }
};
const user = { uid: 'foo.bar' };
const data = { users: { } };
const path = `/users/${user.uid}/activity/firstSignIn`;
const database = targaryen.database(rules, data).as(user).with({debug: true});
const result = database.write(path, 'notAnumber,shouldFail');
console.log(result.validated) // -> true

However if you change the above user to be "foobar", result.validated will correctly return "false".

I encountered this as I was creating dummy users using Math.random() for the uid, which is easy enough to work around, but it was a headache to track down why this is happening.

Add test !auth.foo parsing fails and fix if necessary.

@goldibex Can you please publish 2.2.1 or add dinoboff to the npm package list of collaborators.

see #45

In your Chai example code, you use the variable targaryenChai which is not previously defined. I think you just want to use targaryen here.

This shouldn't fail on null as null data should delete. So the write rule should pass. I am working on a fix and a test for this. The strange thing is null for isString() works.

I'm trying to create a user in the users object that's unauthenticated via:

"users": {
      "unauthenticated": null
    }

Then I have a rule that checks auth != null:

".write": "auth != null"

I get this error when running tests:

/usr/local/lib/node_modules/targaryen/lib/test-jig.js:22
    auth.$description = desc;
                      ^
TypeError: Cannot set property '$description' of null
    at TestJig._lookupAuth (/usr/local/lib/node_modules/targaryen/lib/test-jig.js:22:23)
    at TestJig.<anonymous> (/usr/local/lib/node_modules/targaryen/lib/test-jig.js:50:19)
    at Array.map (native)
    at TestJig.<anonymous> (/usr/local/lib/node_modules/targaryen/lib/test-jig.js:48:42)
    at Array.forEach (native)
    at TestJig.run (/usr/local/lib/node_modules/targaryen/lib/test-jig.js:32:27)
    at Object.<anonymous> (/usr/local/lib/node_modules/targaryen/bin/targaryen.js:25:17)
    at Module._compile (module.js:460:26)
    at Object.Module._extensions..js (module.js:478:10)
    at Module.load (module.js:355:32)

"tests": {
"a": {
"canRead": [1]
}
}

is different to

"tests": {
"/a": {
"canRead": [1]
}
}

which can cause issues for people that naturally prepend / to path.

Hi, I'm seeing tests pass that I don't think should actually be passing. I have a set of rules that look something like this (simplified a bit here):

{
  "rules":{
    ".write":"false",
    ".read":"false",
    "accounts": {
      ".write":"false",
      ".read":"true",
      "$accountId": {
        ".write":"false",
        ".read":"true",
        "flows": {
          ".write":"false",
          ".read":"true",
          "$flowId": {
            ".write":"false",
            "name": {
              ".write":"true",
              ".read":"true"
            },
            "createdAt": {
              ".write":"true",
              ".read":"true"
            },
            "steps": {
              ".write":"false",
              ".read":"true",
              "$stepId": {
                ".write":"true",
                ".read":"true",
                "stepType": {
                  ".write":"true",
                  ".read":"true"
                },
                "content": {
                  ".write":"true",
                  ".read":"true"
                }
              }
            }
          }
        }
      }
    }
  }
}

If I attempt to write the following data, it passes the write test (which it shouldn't according to my understanding of the rules):

  "tests": {
    "accounts/68/flows" : {
      "canWrite" : [{
        "auth": "User2000",
        "data": {
          "-Jkaaiir8329": {
            "name": "Test Flow",
            "createdAt": 123431411,
            "steps": {
              "-J9847saf7fhu": {
                "stepType": "image",
                "content": "test"
              }
            }
          }
        }
      }]
    }
  }

The rule should fail at this part I would think:

"$flowId": {
    ".write":"false",

But instead it looks like targaryen keeps evaluating child rules, finding one that passes. Here's the debug output, showing why the test passes:

/:.write: "false"
    => false
/accounts:.write: "false"
    => false
/accounts/68:.write: "false"
    => false
/accounts/68/flows:.write: "false"
    => false
/accounts/68/flows/-Jkaaiir8329:.write: "false"
    => false
/accounts/68/flows/-Jkaaiir8329/name:.write: "true"
    => true
Write was allowed.

┌───────────────────┬───────┬──────────┬────────┬─────┐
│ Path              │ Type  │ Auth     │ Expect │ Got │
├───────────────────┼───────┼──────────┼────────┼─────┤
│ accounts/68/flows │ write │ User2000 │ ✓      │ ✓   │
└───────────────────┴───────┴──────────┴────────┴─────┘

Maybe I'm using this incorrectly or have an incorrect assumption about how it should be working, but I think this may be a bug?

Thanks for the awesome tool by the way -- super helpful.

Since there are jasmine matchers do you know if there is a way to use them with jest as well?

Hi all,

we are evaluating how to test firebase rules and this seems to be the only real solution. Our rules.json is getting big, and to keep things clear we add comments and new lines using the same syntax accepted by firebase. Nevertheless targaryen complains about the json format. It doesn't like new lines nor comments in the json.

(Of course I could clean up the file before using targaryen.)

Is there any plans to support new lines and comments ?

thanks

Hi all,

Currently an expression such as ...child('x/' + auth.uid) fails because the undefined type of auth.uid doesn't satisfy the + operator. As it is not possible to predict what kind of values auth will contain, I thought to relax the + operator such that if one of its arguments is undefined, it will use the type of the other:

master...mhuebert:patch-2#diff-bcd6f8e4293a19f385ed2148860202e5R189

Thoughts/feedback?

Matt

A validation rule such as ".validate": "auth.notAFunction() === false" should fail.

Failing test: https://github.com/mhuebert/targaryen/blob/rule-evaluation/test/spec/lib/ruleset.js#L196

Targaryen 3 will infer a node type to "any" or "primitive" when it cannot be inferred it and will allow the expression if type validation can be delayed till evaluation. Logical expression (including the unary one) do not allow it; other expression type validation can be delayed.

• Loosen inferring #64
• == and !== should should compare number, boolean, string, or null #84
• >, >=, < and <= should compare number and string #85
• Fix handling of arguments with wrong type in snapshot and string methods. #87
• Stricter comparison type inferring #88
• Strict boolean unary type inferring #89

There is some undocumented problem with nested variables in Firebase rules recognized by targaryen. Firebase itself is handling them correctly.

Please see PR #23 where I demonstrate the problem in a (currently disabled) test suite.

Error: Expected an unauthenticated user to be able to read first/second/third, but the rules denied the read.
    /:<no rules>
    /first:<no rules>
    /first/second:<no rules>
    /first/second/third/: "$one == 'first' && $two == 'second' && $three == 'third'"
    $one: unknown variable $one
        => false
No .read rule allowed the operation.
Read was denied.

versus Firebase simulator

Attempt to read /first/second/third with auth=null
    /: "false"
        => false
    /first
    /first/second
    /first/second/third: "$one == 'first' && $two == 'second' && $three == 'third'"
        => true

Read was allowed.

For a write operation newValue holds the the value written to the node getting written; it is the value the user submitted and the value that will get written.

For multi-location write operations, having the patch data is important but having the resulting new value of the node would be useful; the alternative is something like result.newDatabase.root.path.to.node.$value().

I am not sure if the new attribute to the result object should be the resulting node value (minor change) or the patch data (major change if we use newValue for the resulting node value).

Is there a way to test removal functionality?

Hi,

I am trying to test some rules in nested paths. Using the following code (testing using Jasmine)

var targaryen = require('targaryen');

targaryen.setFirebaseData(
    {
        "one": {
            "one": true,
            "two": true
        }
    }
);

targaryen.setFirebaseRules(
    {
        "rules": {
            "$first": {
                "$second": {
                    ".read": "$first == $second"
                }
            }
        }
    }
);


describe('A set of rules and data', function() {

    beforeEach(function() {
        jasmine.addMatchers(targaryen.jasmine.matchers);
    });

    it('can be tested', function() {
        expect(targaryen.users.unauthenticated).canRead("/one/one");
        expect(targaryen.users.unauthenticated).cannotRead("/one/two");
    });

});

I get a failure as:

Expected an unauthenticated user to be able to read /one/one, but the rules denied the read.
    /:<no rules>
    /one:<no rules>
    /one/one/: "$first == $second"
    $first: unknown variable $first
        => false
    No .read rule allowed the operation.
    Read was denied.

I think this should pass, and the test cases would suggest it should but I notice the relevant test case is 'pending'.

I create a plugin for Must.js called must-targaryen. If I sent you a pull request could I just add this into the library?

Targaryen Version: 3.0.1

Security Rules:

{
  "rules": {
    "A": {
      "B": {
        "C": {
          "D": {
            ".write": "true"
          }
        }
      },
      "X": {
        "Y": {
          "Z": {
            ".write": "true"
          }
        }
      }
    }
  }
}

The following tests are failing but should succceed:
1.) Update a single path
expect().can.patch({B: {C: {D: 10}}}).path('A');
2.) Update both paths
expect().can.patch({B: {C: {D: 10}}, X: {Y: {Z: 20}}}).path('A');

The following code succeeds using firebase with the same security rules:
1.) Update a single path

var data = {};
data["B/C/D"] = 10;
database.ref('A').update(data);

2.) Update both paths

var data = {};
data["B/C/D"] = 10;
data["X/Y/Z/"] = 20;
database.ref('A').update(data);

Summary:
Only the full path (e.g.: A/B/C/D ) is writeable. Firebase still allows an update on the node A with the data for B/C/D. Targaryen seems to be more strict and doesn't allow this kind of patch.

I've created a simple test that fails in targaryen, but passes on firebase simulator.

Test:

{
  "root": {
    "chats": {
      "chat-01": {
        "orgID": "org-01"
      }
    }
  },

  "users": {
    "user01": {
      "uid": "user-01",
      "orgs": {
        "org-01": true
      }
    }
  },

  "tests": {
    "chats/chat-01": {
      "canRead": [ "user01" ]
    }
  }
}

Rules:

{
  "rules": {
    "chats": {
      "$chatID": {
        ".read": "root.child('chats').child($chatID).child('orgID').val() != null && auth.orgs != null && auth.orgs[root.child('chats').child($chatID).child('orgID').val()] == true"
      }
    }
  }
}

For easier reading, here's the rule pretty-printed:

root.child('chats').child($chatID).child('orgID').val() != null
&&
auth.orgs != null
&&
auth.orgs[ root.child('chats').child($chatID).child('orgID').val() ] == true

Firebase allow RuleDataSnapshot via computed property if the property is a literal node:

• root["exists"]() is allowed;
• root["exi" + "sts"]() is not allowed;
• root[$foo]() is not allowed.

Need a new security rule parser, a new runtime to evaluate rule condition and new data layer.

It should instead allow the patch.