1

Here are the rules for a list of objects. If you are authenticated you can access everything. If not, some objects are public, some aren't (boolean public property). The rules bellow for the $object work fine if you try to access the object directly.

"list": {
  ".read": ???????????? ,
  ".write": "auth != null",
  "$object": {
    ".read": "auth != null || data.child('public').val() === true",
    ".write": "auth != null"
  }
}

But I also need rules to list ONLY the public objects if you are not authenticated. How can I set the read rules for a property of a generated $key inside its parent list? Something like:

"list":{
  ".read": "auth != null || data.child('$key').child('public').val() === true"
}
cerealex
  • 1,649
  • 4
  • 17
  • 37
  • Mathew explains it below, but also see http://stackoverflow.com/a/14298525/209103 (and probably most other questions that mention the magic phrase "rules are not filters"). – Frank van Puffelen Sep 08 '16 at 21:13

1 Answers1

4

You cannot do filtering by .read

From: https://firebase.google.com/docs/database/security/securing-data

Rules Are Not Filters

Rules are applied in an atomic manner. That means that a read or write operation is failed immediately if there isn't a rule at that location or at a parent location that grants access. Even if every affected child path is accessible, reading at the parent location will fail completely.

Mathew Berg
  • 28,625
  • 11
  • 69
  • 90
  • Yeah, I read that. That's why I'm trying to pass the .read condition from the child to the parent. But there must be a way to filter server side what a user can or cannot see when listing objects. Am I wrong? – cerealex Sep 08 '16 at 19:45
  • 1
    No you can't, that's exactly what this is saying. If you want to filter it by user you'll have to store it somewhere else by user. – Mathew Berg Sep 08 '16 at 20:05
  • So if there is no auth involved you can only choose between showing the whole list or not showing anything at all? – cerealex Sep 08 '16 at 21:05
  • Not sure I understand but rules cannot filter but I think the answer is yes. You can filter based on sorting etc... – Mathew Berg Sep 08 '16 at 21:12
  • 1
    That is indeed correct. Firebase enforces the access control on the location where you attach a listener. So either you have read permission on `list` (in which case you can read everything under it) or you don't. – Frank van Puffelen Sep 08 '16 at 21:12