Skip to content

Instantly share code, notes, and snippets.

@kmaida
Last active January 3, 2018 14:49
Show Gist options
  • Save kmaida/4457f0faed0bf0da36a3731754df3f24 to your computer and use it in GitHub Desktop.
Save kmaida/4457f0faed0bf0da36a3731754df3f24 to your computer and use it in GitHub Desktop.
Firebase rules: all users can read, authenticated users can create if they provide a uid, owner can delete, owner can update.
{
"rules": {
".read": "true",
".write": "auth != null",
"<ITEMS>": {
".indexOn": "<PROPERTY TO INDEX BY>",
"$comment": {
".write": "(!data.exists() && newData.child('uid').val() == auth.uid) || (data.exists() && data.child('uid').val() == auth.uid && !newData.exists()) || (data.exists() && data.child('uid').val() == auth.uid && newData.child('uid').val() == auth.uid)"
}
}
}
}
@kmaida
Copy link
Author

kmaida commented Dec 13, 2017

Authenticated users can write new data:
(!data.exists() && newData.child('uid').val() == auth.uid)
No existing data, new data being written has a uid property that matches the authenticated user's uid

Authenticated users can delete their own data:
(data.exists() && data.child('uid').val() == auth.uid && !newData.exists())
Data exists, the data has a property uid matching the authenticated user's uid, and no new data is being written

Authenticated users can update their own data:
(data.exists() && data.child('uid').val() == auth.uid && newData.child('uid').val() == auth.uid)
Data exists, the data has a property uid matching the authenticated user's uid, and new data being written also has matching uid

Notes:

Firebase RTDB security rules cascade, meaning additional access can be granted down the cascade, but access cannot be revoked. Most permissive rule must be at the top.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment