Permission denied with Firebase Database rules

Question

I have the following form of database

Database
    users
        <UID>
            user
                <other information>

I am trying to read all my users in admin mode and only allow individual users to access their own information.

I am trying this rule:

"users": {
    "$uid": {
        ".read": "auth != null && (auth.uid == $uid || root.child('users').child(auth.uid).child('user').child('admin').val() == true)",
        ".write": "auth != null &&  !newData.child('admin').exists() && (auth.uid == $uid || root.child('users').child(auth.uid).child('user').child('admin').val() == true)"
    },
    ".indexOn": ["userid"]
},

I am doing the following query and I see the following error:

allusers = $firebaseArray(firebaseDataService.root.child('users'));

permission_denied at /users: Client doesn't have permission to access the desired data.

Any idea what I am doing wrong here ?

Frank van Puffelen Frank van Puffelen · Accepted Answer · 2016-08-28T20:08:55

When you attach a listener to /users, the Firebase server checks whether you have read permission on /users. If not, it rejects the listener.

This is a common source of confusion for developers new to Firebase. Coming from a SQL/relation mindset, we are used to use security to perform (server-side) filtering. In Firebase you cannot use security rules to filter data.

I'll add a few relevant links below for further reading:

Permission denied with Firebase Database rules

1 Answers