Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Common Database Rules for Firebase
// No Security
{
"rules": {
".read": true,
".write": true
}
}
// Full security
{
"rules": {
".read": false,
".write": false
}
}
// Only authenticated users can access/write data
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
// Checks auth uid equals database node uid
// In other words, the User can only access their own data
{
"rules": {
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
// Validates user is moderator from different database location
{
"rules": {
"posts": {
"$uid": {
".write": "root.child('users').child('moderator').val() === true"
}
}
}
}
// Validates string datatype and length range
{
"rules": {
"posts": {
"$uid": {
".validate": "newData.isString()
&& newData.val().length > 0
&& newData.val().length <= 140"
}
}
}
}
// Checks presense of child attributes
{
"rules": {
"posts": {
"$uid": {
".validate": "newData.hasChildren(['username', 'timestamp'])"
}
}
}
}
// Validates timestamp is not a future value
{
"rules": {
"posts": {
"$uid": {
"timestamp": {
".validate": "newData.val() <= now"
}
}
}
}
}
// Prevents Delete or Update
{
"rules": {
"posts": {
"$uid": {
".write": "!data.exists()"
}
}
}
}
// Prevents only Delete
{
"rules": {
"posts": {
"$uid": {
".write": "newData.exists()"
}
}
}
}
// Prevents only Update
{
"rules": {
"posts": {
"$uid": {
".write": "!data.exists() || !newData.exists()"
}
}
}
}
// Prevents Create and Delete
{
"rules": {
"posts": {
"$uid": {
".write": "data.exists() && newData.exists()"
}
}
}
}
@pookdeveloper

This comment has been minimized.

Copy link

commented Apr 28, 2018

Hello how i can specify emails for the security ? thanksss

@SerggioC

This comment has been minimized.

Copy link

commented Jun 28, 2018

You can use regex to validate emails.

@vdjaures

This comment has been minimized.

Copy link

commented Jul 11, 2018

Small question, new to database ... All rule attributes must be under one rule or can there be multiple { "rules": { with different parameters?

@Ananthusubramanian

This comment has been minimized.

Copy link

commented Aug 10, 2018

Can I know if there are any rules for allowing only a set of children not more than that, inside a child?

@marataziat

This comment has been minimized.

Copy link

commented Aug 12, 2018

@Ananthusubramanian No you cant

@learnbit

This comment has been minimized.

Copy link

commented Sep 20, 2018

great contribution, it will be great to have also for validating some fields with some types

@lukepighetti

This comment has been minimized.

Copy link

commented Sep 22, 2018

Any thoughts on how to allow an update to a node only if two values are present? (eg: "message" and "time_updated" must both be updated at the same time)

@ohabash

This comment has been minimized.

Copy link

commented Oct 3, 2018

is there a write rule that will make sure that only a certain app or url can write to it

@aniketmlk6

This comment has been minimized.

Copy link

commented Nov 11, 2018

good job

@TannoFinn

This comment has been minimized.

Copy link

commented Dec 29, 2018

Thank you so much! Still one thing I dont understand - how can I combine these in one expression? I want users to only access their own posts but being able to delete them. At the moment this does not allow my users to "remove" posts, instead it throws an permission error. Shouldn't it work anyway as $uid === auth.uid gets true and there is no other literal to it?

{
"rules": {
".read": false,
".write": false,
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}

@sebastiandg7

This comment has been minimized.

Copy link

commented Feb 10, 2019

@TannoFinn maybe a little late but... you can use ".delete" also

@Uroos

This comment has been minimized.

Copy link

commented Feb 17, 2019

Thanks a lot. One single goto place for all the basic and most commonly used rules.

@blu94

This comment has been minimized.

Copy link

commented Feb 22, 2019

may i know how to edit database data through POSTMAN or http request after apply the rules??

@ziachand

This comment has been minimized.

Copy link

commented Apr 2, 2019

can you please provide a sample of using unique fields in a collection

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.