Firebase Database Delete Security Rules

0
votes

I am currently creating Firebase security rules to prevent a user from setting a node to null and deleting all the data in that node.

This is my schema

{
  "folder" : {
    "item1" : {
      "dataset1" : {
        "data1" : 123,
        "data2" : 456,
        "data3" : 789
      }
    }
  }
}

These are my rules

{
  "rules": {
    "folder": {
//    users cannot delete items in the node folder
      ".write": "newData.exists()",
//    item is a variable
      "$item": {
        "dataset1": {
//        dataset1 must have certain nodes and can't be deleted (set to null)
          ".validate": "data.hasChildren(['data1', 'data2', 'data3']) && newData.exists()",
          "data1": {".validate": "newData.isNumber()"},
          "data2": {".validate": "newData.isNumber()"},
          "data3": {".validate": "newData.isNumber()"},
//        using the variable $other means any node that isn't data1, data2, data3 is denied
          "$other": {".validate": false}
        }
      }
    }
  }
}

Using the built in simulator I'm getting these results:

The write is properly denied and doesn't let user set folder node to null

This works when location is set to "/folder/item1" and "/folder/item1/dataset1"

However when location is set to "/folder/item1/dataset1/data1" the write is allowed and the data is deleted.

If I had deeper nodes in data1 they would all be deleted because the write was allowed.

Thanks for taking a read. Open to any answers, preferably I don't need to change the schema.

1
firebasefirebase-realtime-databasefirebase-security

1 Answers

0
votes

It's not really clear to me what you're asking. But there are a few problems with your rules, so I'll just point those out in hopes that they answer your question.

  1. you grant write access on /folder, which you cannot take away at a lower level.
  2. As long as any data is left under /folder any write is allowed. A thing to keep in mind is that newData is the data at the location as it will exist after the write operation; it is not just the new data that is written.
  3. I have the impression that you're trying to prevent the deletion with .validate rules. Keep in mind that validation is not performed when deleting data, so you cannot use .validate rules to prevent deletion.

I suspect that #2 is causing your current problem.