firebase database rules allow write on specific node

1
votes

I've the follwing database:

actions : [  {
  "added" : 1535293085383,
  "countdown" : 9999999999,
  "item" : 1,
  "type" : "a"
}, {
  "added" : 1535293085383,
  "countdown" : 999999999,
  "extra" : "bb",
  "item" : "2",
  "type" : "b"
}, {
  "added" : 1635293085383,
  "countdown" : 1,
  "item" : 3,
  "type" : "c"
}]

I want to any logged user be able to read all data, but ONLY WRITE THE COUNTDOWN NODE.

My idea is everytime users read the data decrement that value, but they are not allowed to update any other node

there are the rules i wrote

    {
       "rules":{
          ".read":false,
          ".write":false,
          "actions":{
             ".indexOn":[
                "added"
             ],
             ".read": "auth != null",
           "countdown":{
             ".write" : "auth != null"
           }
          }
}

it is denying read from unauthenticated users
it is allowing to read from authenticated users
it is dennying to write from authenticated users EVEN in the countdown node

how can i fix it

1
firebasefirebase-realtime-databasefirebase-security

1 Answers

3
votes

You're missing a level in your security rules. Right now you allow writing to /actions/countdown. But you want to allow writing to /actions/*/countdown. To capture that requirement, use a $ variable in your rules:

{
   "rules":{
      ".read":false,
      ".write":false,
      "actions":{
         ".indexOn": [ "added" ],
         ".read": "auth != null",
         "$actionid": {
           "countdown":{
             ".write" : "auth != null"
           }
         }
      }
}

Now because of the $actionid the countdown/.write rule under there applies to each child node of /actions.