Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Common Database Rules for Firebase
// No Security
{
"rules": {
".read": true,
".write": true
}
}
// Full security
{
"rules": {
".read": false,
".write": false
}
}
// Only authenticated users can access/write data
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
// Checks auth uid equals database node uid
// In other words, the User can only access their own data
{
"rules": {
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
// Validates user is moderator from different database location
{
"rules": {
"posts": {
"$uid": {
".write": "root.child('users').child('moderator').val() === true"
}
}
}
}
// Validates string datatype and length range
{
"rules": {
"posts": {
"$uid": {
".validate": "newData.isString()
&& newData.val().length > 0
&& newData.val().length <= 140"
}
}
}
}
// Checks presense of child attributes
{
"rules": {
"posts": {
"$uid": {
".validate": "newData.hasChildren(['username', 'timestamp'])"
}
}
}
}
// Validates timestamp is not a future value
{
"rules": {
"posts": {
"$uid": {
"timestamp": {
".validate": "newData.val() <= now"
}
}
}
}
}
// Prevents Delete or Update
{
"rules": {
"posts": {
"$uid": {
".write": "!data.exists()"
}
}
}
}
// Prevents only Delete
{
"rules": {
"posts": {
"$uid": {
".write": "newData.exists()"
}
}
}
}
// Prevents only Update
{
"rules": {
"posts": {
"$uid": {
".write": "!data.exists() || !newData.exists()"
}
}
}
}
// Prevents Create and Delete
{
"rules": {
"posts": {
"$uid": {
".write": "data.exists() && newData.exists()"
}
}
}
}
@pookdeveloper

This comment has been minimized.

Copy link

pookdeveloper commented Apr 28, 2018

Hello how i can specify emails for the security ? thanksss

@SerggioC

This comment has been minimized.

Copy link

SerggioC commented Jun 28, 2018

You can use regex to validate emails.

@vdjaures

This comment has been minimized.

Copy link

vdjaures commented Jul 11, 2018

Small question, new to database ... All rule attributes must be under one rule or can there be multiple { "rules": { with different parameters?

@Ananthusubramanian

This comment has been minimized.

Copy link

Ananthusubramanian commented Aug 10, 2018

Can I know if there are any rules for allowing only a set of children not more than that, inside a child?

@ghost

This comment has been minimized.

Copy link

ghost commented Aug 12, 2018

@Ananthusubramanian No you cant

@learnbit

This comment has been minimized.

Copy link

learnbit commented Sep 20, 2018

great contribution, it will be great to have also for validating some fields with some types

@lukepighetti

This comment has been minimized.

Copy link

lukepighetti commented Sep 22, 2018

Any thoughts on how to allow an update to a node only if two values are present? (eg: "message" and "time_updated" must both be updated at the same time)

@ohabash

This comment has been minimized.

Copy link

ohabash commented Oct 3, 2018

is there a write rule that will make sure that only a certain app or url can write to it

@aniketmlk6

This comment has been minimized.

Copy link

aniketmlk6 commented Nov 11, 2018

good job

@TannoFinn

This comment has been minimized.

Copy link

TannoFinn commented Dec 29, 2018

Thank you so much! Still one thing I dont understand - how can I combine these in one expression? I want users to only access their own posts but being able to delete them. At the moment this does not allow my users to "remove" posts, instead it throws an permission error. Shouldn't it work anyway as $uid === auth.uid gets true and there is no other literal to it?

{
"rules": {
".read": false,
".write": false,
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}

@sebastiandg7

This comment has been minimized.

Copy link

sebastiandg7 commented Feb 10, 2019

@TannoFinn maybe a little late but... you can use ".delete" also

@Uroos

This comment has been minimized.

Copy link

Uroos commented Feb 17, 2019

Thanks a lot. One single goto place for all the basic and most commonly used rules.

@blu94

This comment has been minimized.

Copy link

blu94 commented Feb 22, 2019

may i know how to edit database data through POSTMAN or http request after apply the rules??

@ziachand

This comment has been minimized.

Copy link

ziachand commented Apr 2, 2019

can you please provide a sample of using unique fields in a collection

@muankit

This comment has been minimized.

Copy link

muankit commented Jan 14, 2020

I am registering user using google sign in and on successful sign in saving user email and name in database .
This rule is working fine :

{
       "rules": {
              ".read": "auth != null",
              ".write": "auth != null"
        }
   }

but i want to use this rule :

  {
          "rules": {
          "Users": {
                 "$uid": {
                          ".read": "$uid === auth.uid",
                          ".write": "$uid === auth.uid"
                   }
            }
         }
      }

but it is saying permission denied .

My Firebase Database Structure looks like this :

     MAIN_NODE 
               |
               -  Users
                     |
                     - UID1
                          |- NAME : USERNAME
                          |- EMAIL : USER_EMAIL
                     - UID2
                          |- NAME : USERNAME
                          |- EMAIL : USER_EMAIL
                     - UID3
                          |- NAME : USERNAME
                          |- EMAIL : USER_EMAIL

What should i change in these rules to get permitted to write and read ?

@asterixorobelix

This comment has been minimized.

Copy link

asterixorobelix commented Jan 25, 2020

Is there a way to prevent reads for anyone other than my app, using the android applicationID?

@bulatgab

This comment has been minimized.

Copy link

bulatgab commented Feb 18, 2020

This doesn't seem to be correct (checking if the user is a moderator):
".write": "root.child('users').child('moderator').val() === true"

Shouldn't it be this way?
".write": "root.child('users').child('moderator').child($uid).exists()"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.