Firebase security rules: Allow read on anything except one field

Question

In my Firebase security rules, I want anonymous users to be able to read anything except one field (secret_field):

{
  "rules": {
    ".read": true,
    ".write": "auth != null",
    "stuff" : {
      "$stuffID" : {
        "secret_field" : {
           ".read" : "auth != null"
        }
      }
    }
  }
}

However, in Firebase, if any read rule on the way to secret_field evaluates as true, read access on secret field is granted.

Is there a way to reverse that behavior? (If any read rule on the way to secret_field evaluates to false, disallow read access)

Michael Lehenbauer Michael Lehenbauer · Accepted Answer · 2013-01-30T03:19:04

You can't reverse the behavior, but you can solve this by introducing a "container" for the public fields and setting .read to true for it. For example:

{
  "rules": {
    "stuff" : {
      "$stuffID" : {
        "public" : {
          ".read": true
        },
        "secret_field" : {
          ".read" : "auth != null"
        }
      }
    }
  }
}

And then everything under .../public/ is accessible to everybody but .../secret_field is only accessible for authenticated users.

Firebase security rules: Allow read on anything except one field

1 Answers