Just a quickie, I'm trying to get my head around Firebase security protocols and I have set up a database called UsersDB which will store details based on auth.uid. The details being full name, email, provider, account created date, last login date.
I have setup a rule as follows:
{
"rules": {
".read": "auth != null", // only authed users can read/write
".write": "auth != null",
"UsersDB": {
"$uid": {
".read": "auth.uid == $uid", // users can read/write their own data
".write": "auth.uid == $uid"
}
}
}
My understanding is that the record will only be able to be read and written by the person whose user_id matches the auth.uid.
My question is have I done this correctly and if not how should I have achieve this? I only want the person creating the account to be able to read and write to this and no other uid to access the information.
Lastly, as a administrator of the firebase account. I would be thinking of going down the line of creating a admin console type software which would allow me access to all the data stored. How would I change or update the rules to allow an admin login to access the data above. Would I change the read access to anyone (although this would seem to me to leave a vulnerability in the rules) or is there a way to declare a rule giving my (admin) full read access to all data?
Thanks
