Seperate firebase database rules for parent and child

1
votes

My database is structured like so...

Database structure

I want to have different read/write rules for the "users/uid" and "users/uid/locations/$address/latlng" node.

    "users": {
    "$uid": {

    ".read": "auth != null && $uid == auth.uid",
    ".write": "auth != null && $uid == auth.uid",

      "locations": {
        "$address": {
          "latlng": {

            ".read": true,
            ".write": false,

          }
        }
      }
    }
  }

Due to the rules cascade, it seems like this is not possible. The read and write are both passing where I want it to fail. Basically, I want the user to be able to create an address and latlng node under the locations node, but only let certain users create additional nodes under the address node.

Is this possible or will I need to structure my database differently?

Edit:

Here is my code for storing the info to the database

   mRootRef.child("users").child(user.getUid()).child("locations").child(currentAddress).child("latlng").setValue(currentLatLng.latitude + "," + currentLatLng.longitude);

Here is my code for retrieving the info from the database

mRootRef.child("users").child(user.getUid()).child("locations").child(selectedItem).child("verified").addListenerForSingleValueEvent(new ValueEventListener() {
                    @Override
                    public void onDataChange(@NonNull DataSnapshot dataSnapshot) {

                        //Check if address is verified

                        if(dataSnapshot.getValue() == null){

                            ChangeVerifiedMessage(false);
                            return;

                        }

                        if (dataSnapshot.exists()){

                            ChangeVerifiedMessage(true);

                            }else{

                            ChangeVerifiedMessage(false);

                            }

                        }
1
firebasefirebase-realtime-database
Firebase only stores keys/paths if they have a value. If there is no value, the key/path is removed too. Since there is only the latlng under the address node, there is no way to create an address without a latlng value in your example. Aside from that: anyone can read any latlng value in your database as long as they know the exact path. It might be easier to help, if you show the actual code that you're trying to use against these security rules and the result you get from that. - Frank van Puffelen
the code was added, and i caught a mistake in my question and edited that also. i need only certain users to be able to add additional nodes. but the rules still wont allow me to write nonetheless. - Garren Fitzenreiter
As far as certain users trying to write additional nodes, i dont have that code yet, just trying to set the rules up first before implementing that. - Garren Fitzenreiter

1 Answers

1
votes

You can try to use validation to achieve what you want. You can validate, that the children (in your case latlng) do not exist in specific cases. Validations are not cascading, so you can just replace your write rules with it. It may be a little workaround, but the only idea that comes to my mind without restructuring your data.