0

Sample collection of users.

"users":{
    "uid1":{
        "type":"normal"
    },
    "uid2":{
        "type":"normal"
    },
    "uid3":{
        "type":"admin"
    },
    "uid4":{
        "type":"super-admin"
    },
    "uid5":{
        "type":"disabled"
    }
}

Sample rules.

"rules":{ 
    "users":{ // I dont want the collection to be readable to everyone
        "$uid":{
            ".read":"auth.uid == $uid",
            ".write":"auth.uid == $uid"
        }
    }
}

Sample query.

firebase.database()
    .ref('users')
    .orderByChild('type')
    .equalTo('normal')
    .once('value')
    .then()
    .catch()

This query however returns a Permission denied error on path /users. How do I make the base collection secure but still the children are readable via orderByChild()?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
jofftiquez
  • 7,548
  • 10
  • 67
  • 121
  • This is known as ["rules are not filters" in the Firebase documentation](https://firebase.google.com/docs/database/security/securing-data#rules_are_not_filters) and has been [covered quite some times before on StackOverflow too](http://stackoverflow.com/search?q=%5Bfirebase%5D+rules+are+not+filters). It essentially boils down to the fact that rules cannot be used to filter data, so you'll have to create a secondary index (i.e. list of keys) to query against. For one of the oldest answer, see http://stackoverflow.com/a/14298525/209103 – Frank van Puffelen May 05 '17 at 03:51
  • @FrankvanPuffelen Thanks for the references. May I request an example `you'll have to create a secondary index to query against.` for the given situation above. Thanks. – jofftiquez May 05 '17 at 03:53
  • Did you check the examples already? There are quite a few of those samples, but you will have to modify them to fit your needs. – Frank van Puffelen May 05 '17 at 04:01
  • Thanks @FrankvanPuffelen – jofftiquez May 05 '17 at 04:21

0 Answers0