Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Common Database Rules for Firebase
// No Security
{
"rules": {
".read": true,
".write": true
}
}
// Full security
{
"rules": {
".read": false,
".write": false
}
}
// Only authenticated users can access/write data
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
// Checks auth uid equals database node uid
// In other words, the User can only access their own data
{
"rules": {
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
// Validates user is moderator from different database location
{
"rules": {
"posts": {
"$uid": {
".write": "root.child('users').child('moderator').val() === true"
}
}
}
}
// Validates string datatype and length range
{
"rules": {
"posts": {
"$uid": {
".validate": "newData.isString()
&& newData.val().length > 0
&& newData.val().length <= 140"
}
}
}
}
// Checks presense of child attributes
{
"rules": {
"posts": {
"$uid": {
".validate": "newData.hasChildren(['username', 'timestamp'])"
}
}
}
}
// Validates timestamp is not a future value
{
"rules": {
"posts": {
"$uid": {
"timestamp": {
".validate": "newData.val() <= now"
}
}
}
}
}
// Prevents Delete or Update
{
"rules": {
"posts": {
"$uid": {
".write": "!data.exists()"
}
}
}
}
// Prevents only Delete
{
"rules": {
"posts": {
"$uid": {
".write": "newData.exists()"
}
}
}
}
// Prevents only Update
{
"rules": {
"posts": {
"$uid": {
".write": "!data.exists() || !newData.exists()"
}
}
}
}
// Prevents Create and Delete
{
"rules": {
"posts": {
"$uid": {
".write": "data.exists() && newData.exists()"
}
}
}
}
@pookdeveloper

This comment has been minimized.

Copy link

@pookdeveloper pookdeveloper commented Apr 28, 2018

Hello how i can specify emails for the security ? thanksss

@SerggioC

This comment has been minimized.

Copy link

@SerggioC SerggioC commented Jun 28, 2018

You can use regex to validate emails.

@vdjaures

This comment has been minimized.

Copy link

@vdjaures vdjaures commented Jul 11, 2018

Small question, new to database ... All rule attributes must be under one rule or can there be multiple { "rules": { with different parameters?

@Ananthusubramanian

This comment has been minimized.

Copy link

@Ananthusubramanian Ananthusubramanian commented Aug 10, 2018

Can I know if there are any rules for allowing only a set of children not more than that, inside a child?

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Aug 12, 2018

@Ananthusubramanian No you cant

@learnbit

This comment has been minimized.

Copy link

@learnbit learnbit commented Sep 20, 2018

great contribution, it will be great to have also for validating some fields with some types

@lukepighetti

This comment has been minimized.

Copy link

@lukepighetti lukepighetti commented Sep 22, 2018

Any thoughts on how to allow an update to a node only if two values are present? (eg: "message" and "time_updated" must both be updated at the same time)

@ohabash

This comment has been minimized.

Copy link

@ohabash ohabash commented Oct 3, 2018

is there a write rule that will make sure that only a certain app or url can write to it

@aniketmlk6

This comment has been minimized.

Copy link

@aniketmlk6 aniketmlk6 commented Nov 11, 2018

good job

@TannoFinn

This comment has been minimized.

Copy link

@TannoFinn TannoFinn commented Dec 29, 2018

Thank you so much! Still one thing I dont understand - how can I combine these in one expression? I want users to only access their own posts but being able to delete them. At the moment this does not allow my users to "remove" posts, instead it throws an permission error. Shouldn't it work anyway as $uid === auth.uid gets true and there is no other literal to it?

{
"rules": {
".read": false,
".write": false,
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}

@sebastiandg7

This comment has been minimized.

Copy link

@sebastiandg7 sebastiandg7 commented Feb 10, 2019

@TannoFinn maybe a little late but... you can use ".delete" also

@Uroos

This comment has been minimized.

Copy link

@Uroos Uroos commented Feb 17, 2019

Thanks a lot. One single goto place for all the basic and most commonly used rules.

@blu94

This comment has been minimized.

Copy link

@blu94 blu94 commented Feb 22, 2019

may i know how to edit database data through POSTMAN or http request after apply the rules??

@ziarv

This comment has been minimized.

Copy link

@ziarv ziarv commented Apr 2, 2019

can you please provide a sample of using unique fields in a collection

@muankit

This comment has been minimized.

Copy link

@muankit muankit commented Jan 14, 2020

I am registering user using google sign in and on successful sign in saving user email and name in database .
This rule is working fine :

{
       "rules": {
              ".read": "auth != null",
              ".write": "auth != null"
        }
   }

but i want to use this rule :

  {
          "rules": {
          "Users": {
                 "$uid": {
                          ".read": "$uid === auth.uid",
                          ".write": "$uid === auth.uid"
                   }
            }
         }
      }

but it is saying permission denied .

My Firebase Database Structure looks like this :

     MAIN_NODE 
               |
               -  Users
                     |
                     - UID1
                          |- NAME : USERNAME
                          |- EMAIL : USER_EMAIL
                     - UID2
                          |- NAME : USERNAME
                          |- EMAIL : USER_EMAIL
                     - UID3
                          |- NAME : USERNAME
                          |- EMAIL : USER_EMAIL

What should i change in these rules to get permitted to write and read ?

@asterixorobelix

This comment has been minimized.

Copy link

@asterixorobelix asterixorobelix commented Jan 25, 2020

Is there a way to prevent reads for anyone other than my app, using the android applicationID?

@bulatgab

This comment has been minimized.

Copy link

@bulatgab bulatgab commented Feb 18, 2020

This doesn't seem to be correct (checking if the user is a moderator):
".write": "root.child('users').child('moderator').val() === true"

Shouldn't it be this way?
".write": "root.child('users').child('moderator').child(auth.uid).exists()"

@chirag-jn

This comment has been minimized.

Copy link

@chirag-jn chirag-jn commented Apr 21, 2020

Rule to allow only the admin accounts to make an update to the database while allowing global reading access:

{
  "rules": {
    ".read": true,
    ".write": false
  }
}
@isshin698

This comment has been minimized.

Copy link

@isshin698 isshin698 commented May 16, 2020

Hello. @codediodeio
I am creating an application where the users should be able to read the posts and also comment on the posts.
They should also be able to delete or edit their own comments.

However, only the admin should be allowed to make, edit, and delete the posts.
Also, all of my users are required to sign-in in the application.
Please tell me what rules should I set.

@sandydebug

This comment has been minimized.

Copy link

@sandydebug sandydebug commented May 28, 2020

may i know how to edit database data through POSTMAN or http request after apply the rules??

You need authenticate using email password by giving them in header fields of the post request and then post data to be updated in json format.

@dchattar

This comment has been minimized.

Copy link

@dchattar dchattar commented Jun 29, 2020

you are awesome. thanks

@Shaunmax

This comment has been minimized.

Copy link

@Shaunmax Shaunmax commented Jul 13, 2020

// Validates timestamp is not a future value

{
  "rules": {
    "posts": {
       "$uid": {
         "timestamp": { 
           ".validate": "newData.val() <= now" 
         }
       }
     }
   }
}

Is it possible to set a rule for timestamp which will check if the timestamp is <= now && >= (now - 1 hours).
i.e i dont want to allow any writes which was posted an hour ago!

@ChrisMcG2020

This comment has been minimized.

Copy link

@ChrisMcG2020 ChrisMcG2020 commented Aug 25, 2020

I am using these rules at present
{
"rules": {
"Users":{
"$uid":{
".read":"auth != null",
".write": "auth != null && auth.uid == $uid",
}
},
}
}
I want the any authenticated user to see the info while any profile updates should be carried out by the person with the authorised UID. When I run this the access to the read is denied logcat says permission denied

Listen at /Users failed: DatabaseError: Permission denied
and I have a profile page in my app and all the info is blank. However if I click into the info to edit it it will update and display it in the app. Also If I remove the "Users" part from the rules I can see the info but cannot update. Any ideas what the issue is I want to use these rules and all documentation/videos seem to suggest this approach but cannot get them implemented. Also in the rules playground , I can get the read at the path, with the authenticated UID to pass

@adelelzeiny

This comment has been minimized.

Copy link

@adelelzeiny adelelzeiny commented Oct 6, 2020

How to make some users see posts and i added them by uid

@johndpope

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.