Having Confusion in Firebase Rules for my App

0
votes

I am having trouble in writing firebase permissions. I want those users if authenticated only write to users section and Everyone else should be able to read or write to any section of the database. Is there any way that I can define rules for every table default to true and restrict only user section to be authenticated or I have to explicitly write rules for every table.

PS. It would be great if someone could guide me what rules should I implement for an app with features for sending and receiving a message with the following structure:

-Chat

-Friends

-Users

-message_notifications

-messages

-notifications

  /* Visit https://firebase.google.com/docs/database/security to learn more about security rules. */
  "rules": {

      "Users":{
      "$uid":{
            ".read": true,
             ".write": "auth.uid == $uid"
      }
    }

  }

}
1
firebasefirebase-realtime-databasefirebase-security

1 Answers

1
votes

Is there any way that I can define rules for every table default to true and restrict only user section to be authenticated?

Once a user has access to data at a certain level in your database, they have access to all data under that level. You cannot revoke this permission on a lower level. So there's no way to give a user access to all data at the root, and then exclude one node.

What you can do is use the $ wildcard rules to create two types of top-level nodes:

{
  "rules": {
    "Users":{
      "$uid":{
        ".read": true,
         ".write": "auth.uid == $uid"
      }
    },
    "$others": {
      ".read": true,
      ".write": true
    }
  }
}

With the above rules, users can:

  • Only read the /Users/$uid node of a user if they know the UID of that user.
  • Can only write their own /Users/$uid node.
  • Can read and write all other data.