Firebase Realtime Database rules for “secret” url sharing

0
votes

I'm playing around with a simple web app that uses JS to interact with a Firebase Realtime Database that looks something like this:

{
  "some-collection": {
    "some-obscure-long-uuid": {
      "name": {
        "info_1": "foo",
        "info_2": "bar"
      }
    },
    "some-other-obscure-long-uuid": {
      "name": {
        "info_1": "foo",
        "info_2": "bar"
      }
    }
  }
}

The idea is not to use any form of authentication but to allow users to get a random shareable link, say www.myapp.com/some-obscure-long-uuid/index.html, so that other people can see and perform changes in real-time. With this in mind, I'm trying to find a set of rules that:

  • Don't expose the children of "some-collection" publicly
  • Give read and write access to the "some-obscure-long-uuid" child to anyone with the secret URL www.myapp.com/some-obscure-long-uuid/index.html

I've read the docs and suspect this can be achieved using the newData variable, but cannot get my head round to how to use it. Hope this makes sense and thanks a lot!

1
firebasefirebase-realtime-database

1 Answers

1
votes

I'm not sure if I understood correctly but below should give read-write access to anyone who is attempting to read or write to path some-collection/[some-obscure-long-uuid] and your some-collection parent would be safe from getting queried without anyone specifying the full path.

{
 "rules": {
    "some-collection": {
       ".read": "false",
       ".write": "false",
       "$some-obscure-long-uuid": {
         ".read": "true",
         ".write": "true",
       }
    }
  }
}