Skip to content

Instantly share code, notes, and snippets.

@codediodeio
Last active July 24, 2024 21:05
Show Gist options
  • Save codediodeio/6dbce1305b9556c2136492522e2100f6 to your computer and use it in GitHub Desktop.
Save codediodeio/6dbce1305b9556c2136492522e2100f6 to your computer and use it in GitHub Desktop.
Common Database Rules for Firebase
// No Security
{
"rules": {
".read": true,
".write": true
}
}
// Full security
{
"rules": {
".read": false,
".write": false
}
}
// Only authenticated users can access/write data
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
// Checks auth uid equals database node uid
// In other words, the User can only access their own data
{
"rules": {
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
// Validates user is moderator from different database location
{
"rules": {
"posts": {
"$uid": {
".write": "root.child('users').child('moderator').val() === true"
}
}
}
}
// Validates string datatype and length range
{
"rules": {
"posts": {
"$uid": {
".validate": "newData.isString()
&& newData.val().length > 0
&& newData.val().length <= 140"
}
}
}
}
// Checks presense of child attributes
{
"rules": {
"posts": {
"$uid": {
".validate": "newData.hasChildren(['username', 'timestamp'])"
}
}
}
}
// Validates timestamp is not a future value
{
"rules": {
"posts": {
"$uid": {
"timestamp": {
".validate": "newData.val() <= now"
}
}
}
}
}
// Prevents Delete or Update
{
"rules": {
"posts": {
"$uid": {
".write": "!data.exists()"
}
}
}
}
// Prevents only Delete
{
"rules": {
"posts": {
"$uid": {
".write": "newData.exists()"
}
}
}
}
// Prevents only Update
{
"rules": {
"posts": {
"$uid": {
".write": "!data.exists() || !newData.exists()"
}
}
}
}
// Prevents Create and Delete
{
"rules": {
"posts": {
"$uid": {
".write": "data.exists() && newData.exists()"
}
}
}
}
@deflexable
Copy link

what if I want to make an if statment in rules , How?
for example
user can write in "MyRequests" child if his authUid = (saved Uid in "MyFollowers" child)

@hatimmts you can use "( )" to make an if statement in rules, this is really useful when dealing with "| |",

this basically group the rule into a separate unit but all your command are executed at once no matter how you nest the "( )".

you can use root, newData, data, parent(), child() to navigate through different nodes in the database.

@NaqiControl
Copy link

NaqiControl commented May 5, 2021

@visalsen
Copy link

visalsen commented Jul 5, 2021

Can you help me? I'm newer so I don't know in deep of this problem. When I used this:
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
It's doesn't worked. It appear a message 401 (Unauthorized)
It worked only for:
{
"rules": {
".read": true,
".write": true
}
}

@sandydebug
Copy link

Only if you authenticate the user , the access is given .Like you need to perform firebase authentication using email password or mobile signin or any other method and then try to access the database .

@ajlanga
Copy link

ajlanga commented Mar 4, 2022

This doesn't seem to be correct (checking if the user is a moderator): ".write": "root.child('users').child('moderator').val() === true"

Shouldn't it be this way? ".write": "root.child('users').child('moderator').child(auth.uid).exists()"

@bulatgab - Were you able to get this to work? I've tried this but keep getting 401 errors.

@koddek
Copy link

koddek commented Sep 12, 2022

Hi all. I am using the Firebase rest API to read/write to Firebase real-time database. e.g. "[path-to-db].json".
How do I set the db rules to be able to freely read from the database, while needing to pass an auth password in URL to be able to write to the database? e.g. "[path-to-db].json?auth=[some-password]"

@capscode
Copy link

Nice one, thanks for this...

JUST 2 DOUBT, any help will be highly appreciated.

// Checks auth uid equals database node uid
// In other words, the User can only access their own data
{
"rules": {
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}

DOUBT-1
In the above security rule,
the current logged in user can be able to access (read/write) their node/data.
is my understanding correct??

DOUBT-2
and how can i achieve that when the admin of this firebase logged in, then the admin can be able to write, and other user will not be able to access any write operation???

@AlexSloo157
Copy link

hi i want know .. how i created key and i cant delet it only . or update . without is child"data"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment