Skip to content

Instantly share code, notes, and snippets.

@codediodeio
Last active September 1, 2024 22:58
Show Gist options
  • Save codediodeio/6dbce1305b9556c2136492522e2100f6 to your computer and use it in GitHub Desktop.
Save codediodeio/6dbce1305b9556c2136492522e2100f6 to your computer and use it in GitHub Desktop.
Common Database Rules for Firebase
// No Security
{
"rules": {
".read": true,
".write": true
}
}
// Full security
{
"rules": {
".read": false,
".write": false
}
}
// Only authenticated users can access/write data
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
// Checks auth uid equals database node uid
// In other words, the User can only access their own data
{
"rules": {
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
// Validates user is moderator from different database location
{
"rules": {
"posts": {
"$uid": {
".write": "root.child('users').child('moderator').val() === true"
}
}
}
}
// Validates string datatype and length range
{
"rules": {
"posts": {
"$uid": {
".validate": "newData.isString()
&& newData.val().length > 0
&& newData.val().length <= 140"
}
}
}
}
// Checks presense of child attributes
{
"rules": {
"posts": {
"$uid": {
".validate": "newData.hasChildren(['username', 'timestamp'])"
}
}
}
}
// Validates timestamp is not a future value
{
"rules": {
"posts": {
"$uid": {
"timestamp": {
".validate": "newData.val() <= now"
}
}
}
}
}
// Prevents Delete or Update
{
"rules": {
"posts": {
"$uid": {
".write": "!data.exists()"
}
}
}
}
// Prevents only Delete
{
"rules": {
"posts": {
"$uid": {
".write": "newData.exists()"
}
}
}
}
// Prevents only Update
{
"rules": {
"posts": {
"$uid": {
".write": "!data.exists() || !newData.exists()"
}
}
}
}
// Prevents Create and Delete
{
"rules": {
"posts": {
"$uid": {
".write": "data.exists() && newData.exists()"
}
}
}
}
@sandydebug
Copy link

Only if you authenticate the user , the access is given .Like you need to perform firebase authentication using email password or mobile signin or any other method and then try to access the database .

@ajlanga
Copy link

ajlanga commented Mar 4, 2022

This doesn't seem to be correct (checking if the user is a moderator): ".write": "root.child('users').child('moderator').val() === true"

Shouldn't it be this way? ".write": "root.child('users').child('moderator').child(auth.uid).exists()"

@bulatgab - Were you able to get this to work? I've tried this but keep getting 401 errors.

@koddek
Copy link

koddek commented Sep 12, 2022

Hi all. I am using the Firebase rest API to read/write to Firebase real-time database. e.g. "[path-to-db].json".
How do I set the db rules to be able to freely read from the database, while needing to pass an auth password in URL to be able to write to the database? e.g. "[path-to-db].json?auth=[some-password]"

@capscode
Copy link

Nice one, thanks for this...

JUST 2 DOUBT, any help will be highly appreciated.

// Checks auth uid equals database node uid
// In other words, the User can only access their own data
{
"rules": {
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}

DOUBT-1
In the above security rule,
the current logged in user can be able to access (read/write) their node/data.
is my understanding correct??

DOUBT-2
and how can i achieve that when the admin of this firebase logged in, then the admin can be able to write, and other user will not be able to access any write operation???

@AlexSloo157
Copy link

hi i want know .. how i created key and i cant delet it only . or update . without is child"data"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment