I want to create an increment field for article likes.

I am referring to this link: https://firebase.google.com/docs/database/android/save-data#save_data_as_transactions

In the example there is code for increment field:

if (p.stars.containsKey(getUid())) {
    // Unstar the post and remove self from stars
    p.starCount = p.starCount - 1;
    p.stars.remove(getUid());
} else {
    // Star the post and add self to stars
    p.starCount = p.starCount + 1;
    p.stars.put(getUid(), true);
}

But how can I be sure if the user already liked/unliked the article?

In the example, user (hacker) might as well clear whole stars Map like this and it will save anyway:

p.stars = new HashMap<>();

and it will ruin the logic for other users who were already liked it.

I do not even think you can make rules for this, especially for "decrease count" action.

Any help, suggestions?

Solution 1

The security rules can do a few things:

  • ensure that a user can only add/remove their own uid to the stars node

    "stars": {
      "$uid": {
        ".write": "$uid == auth.uid"
      }
    }
    
  • ensure that a user can only change the starCount when they are adding their own uid to the stars node or removing it from there

  • ensure that the user can only increase/decrease starCount by 1

Even with these, it might indeed still be tricky to have a security rule that ensures that the starCount is equal to the number of uids in the stars node. I encourage you to try it though, and share your result.

The way I've seen most developers deal with this though is:

  • do the start counting on the client (if the size of the stars node is not too large, this is reasonable).
  • have a trusted process running on a server that aggregates the stars into starCount. It could use child_added/child_removed events for incrementing/decrementing.

Update: with working example

I wrote up a working example of a voting system. The data structure is:

votes: {
  uid1: true,
  uid2: true,
},
voteCount: 2

When a user votes, the app sends a multi-location update:

{
  "/votes/uid3": true,
  "voteCount": 3
}

And then to remove their vote:

{
  "/votes/uid3": null,
  "voteCount": 2
}

This means the app needs to explicitly read the current value for voteCount, with:

function vote(auth) {
  ref.child('voteCount').once('value', function(voteCount) {
    var updates = {};
    updates['votes/'+auth.uid] = true;
    updates.voteCount = voteCount.val() + 1;
    ref.update(updates);
  });  
}

It's essentially a multi-location transaction, but then built in app code and security rules instead of the Firebase SDK and server itself.

The security rules do a few things:

  1. ensure that the voteCount can only go up or down by 1
  2. ensure that a user can only add/remove their own vote
  3. ensure that a count increase is accompanied by a vote
  4. ensure that a count decrease is accompanied by a "unvote"
  5. ensure that a vote is accompanied by a count increase

Note that the rules don't:

  • ensure that an "unvote" is accompanied by a count decrease (can be done with a .write rule)
  • retry failed votes/unvotes (to handle concurrent voting/unvoting)

The rules:

"votes": {
    "$uid": {
      ".write": "auth.uid == $uid",
      ".validate": "(!data.exists() && newData.val() == true &&
                      newData.parent().parent().child('voteCount').val() == data.parent().parent().child('voteCount').val() + 1
                    )"
    }
},
"voteCount": {
    ".validate": "(newData.val() == data.val() + 1 && 
                   newData.parent().child('votes').child(auth.uid).val() == true && 
                   !data.parent().child('votes').child(auth.uid).exists()
                  ) || 
                  (newData.val() == data.val() - 1 && 
                   !newData.parent().child('votes').child(auth.uid).exists() && 
                   data.parent().child('votes').child(auth.uid).val() == true
                  )",
    ".write": "auth != null"
}

jsbin with some code to test this: http://jsbin.com/yaxexe/edit?js,console