4

My firebase database rule is like the following:

    {
      "rules": {
        "users": {
          "$uid": {

            ".read": "auth != null || root.child('users').child(auth.uid).child('role').val() == 'teacher'",
            ".write": "auth != null || root.child('users').child(auth.uid).child('role').val() == 'teacher'"

          }
        }
    }
}

My goal is the following:

  • Every user can read/write their OWN data only.
  • Only users with the value 'teacher' defined in their corresponding child named 'role' can read/write EVERY other users' data.

    How can I achieve this rule setting?
cplus
  • 1,115
  • 4
  • 22
  • 55

2 Answers2

6

This seems to be what you're looking for:

{
  "rules": {
    "users": {
      ".read": "root.child('users').child(auth.uid).child('role').val() == 'teacher'",
      ".write": "root.child('users').child(auth.uid).child('role').val() == 'teacher'",
      "$uid": {
        ".read": "auth.uid == $uid",
        ".write": "auth.uid == $uid"
      }
    }
  }
}

With this:

  • teachers have read and write permission to the entire users node
  • other users have read and write permission to their own node only
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
0

how abou this one by removing the $uid:

  {
      "rules": {
        "users": {

            ".read": "auth != null || root.child('users').child(auth.uid).child('role').val() == 'teacher'",
            ".write": "auth != null || root.child('users').child(auth.uid).child('role').val() == 'teacher'"

        }
    }
}
Marcel
  • 2,764
  • 1
  • 24
  • 40
  • Removing the uid rule does not satisfy the OP's first requirement: "Every user can read/write their OWN data only." – Brian Ogden Jul 08 '17 at 19:16