Multiple rules for different user in Firebase Database rules

0
votes

Update:

This is how the structure of my firebase db looks like it has two main nodes results and surveys as shown"

Firebase Database Structure

These are my current rules:

{
  "rules": {
    "surveys": {
      ".indexOn":["userId"],
    ".read": true,
    ".write": "auth.uid != null"
    },
  "results": {
    ".read": "auth.uid != null",
      "$resultid": {
    ".write": true
  }
  }
  }
}

Basically when a user makes a new survey it gets stored it saves the template in surveys, right now only authenticated users are able to write to it so its perfectly fine, now comes the reading part, right now anyone is able to read the entire surveys node, I cannot add auth != null to it as when Someone shares their survey even unauthenticated users should be able to read that particular survey and do it, so what should I do so as to not allow everyone to read the entire surveys node but only the one they should be reading, orelse anyone would be able to perform anyone's survey by pulling up all the ids. By the way the $resultid rule doesnt work and still allows write access right now :(

1
firebasefirebase-realtime-databasefirebase-security

1 Answers

0
votes

The closest you can get it:

{
  "rules": {
    "surveys": {
      ".read": "auth != null",
      "$surveyid": {
        ".read": true,
        ".write": true
      }
    }
  }
}

These rules:

  • Allow any authentication user to read all surveys.
  • Allow anyone who knows a survey ID to read/write that survey. You'll note that this is slightly different than your second requirement, as there is no way to know who created each survey unless they are signed in.

Update

For the results you'd then add:

"results": {
  ".read": "auth != null",
  "$resultid": {
    ".write": true
  }
}