To what extent are the firebase rules of Childs overridden by rules set for 'parents' in the database?

1
votes

Say topline in the database you allow authorized users to read but Childs of this database entry you only allow authorized users to read their own entry. Will giving the topline ability for all auth users to read invalidate the child rule where auth users can only read their own?

specifically will people and uid invalidate coordinates?

{
  "rules": {
  "people" : {
    ".read": "auth.uid != null",
    ".write": true
   ,"$uid": {
      ".read": "auth.uid != null",
      ".write": "$uid === auth.uid"
     ,  "Education" :{
         ".read": "auth.uid != null",
        ".write": "$uid === auth.uid"
      }
      ,"Coordinates" : {
        ".read": "$uid === auth.uid",
        ".write": "$uid === auth.uid"
      }  
       ,"ForReUpload": {
        ".read": "auth.uid != null",
       ".write": "$uid === auth.uid"
  }
      ,"PhotoPosts": {
      ".read": "auth.uid != null",
     ".write": "$uid === auth.uid"
      }

      ,"WhatIamConsideringBuying":  { 
      ".read": "auth.uid != null",
      ".write": "$uid === auth.uid"
  }
      ,"caption": {
        ".read": "auth.uid != null",
    ".write": "$uid === auth.uid"
  }
      ,"peopleWhoLike" : {
        ".read": "auth.uid != null",
        ".write": "$uid === auth.uid"
  }
      ,"peopleWhoLike2" : {
     ".read": "auth.uid != null",
    ".write": "$uid === auth.uid"
  }

      ,"postID" : { 
     ".read": "auth.uid != null",
    ".write": "$uid === auth.uid"
  }
      ,"users" : {     
     ".read": "auth.uid != null",
   ".write": "$uid === auth.uid"  
  }
    }
  }
  }
}
1
firebase-realtime-databasefirebase-authenticationfirebase-security

1 Answers

1
votes

Yes, any rule that applies at a high level will affect all children under it. Children can not remove access granted at a higher level. I suggest reading the documentation that discuss how read and write rules cascade:

Shallower security rules override rules at deeper paths. Child rules can only grant additional privileges to what parent nodes have already declared. They cannot revoke a read or write privilege.

.read and .write rules work from top-down, with shallower rules overriding deeper rules. If a rule grants read or write permissions at a particular path, then it also grants access to all child nodes under it.