Security rules dont cascade like the docs said

0
votes

The security rules dont cascade, like the docs says.

Shallow rules dont override deeper rules

This picture demonstrates the result of an authorized read request to path /foo/baz/bar/ done with the simulator.

The Firebase Docs says this (code example is relevant to the docs):

{
  "rules": {
    "foo": {
      ".read": true,
      ".write": false
    }
  }
}

.read and .write rules cascade, so this ruleset grants read access to any data at path /foo/ as well as any deeper paths such as /foo/bar/baz. Note that .read and .write rules shallower in the database override deeper rules, so read access to /foo/bar/baz would still be granted in this example even if a rule at the path /foo/bar/baz evaluated to false.

Why do i get the opposite effect?

1
firebasefirebase-realtime-databasefirebase-security

1 Answers

1
votes

Allowing access cascades, denying access does not. If denying access had the same cascading effect, rules would become verbose since you would have to explicitly exclude every part of the database you don't want affected even when denying.

Think of rules as a big or statement -- it goes through each matching rule one by one until it finds a true:

rule1 || rule2 || rule3 || rule4 ...