Firebase Database read whole node but depends on child node permission to return correct data

Question

I setup rules on Firebase like this:

 "Data": {
  ".read": true,
    "data1": {
      ".write": "root.child('Permissions').child(auth.uid).val() == 'admin'",
      ".read": true
    },
    "data2": {
      ".write": "root.child('Permissions').child(auth.uid).val() == 'admin'",
      ".read": "root.child('Permissions').child(auth.uid).val() == 'admin'"
    }
}

and in my code, I want that when I read the node "Data", and data return should only contain "data1" node if users do not have "admin" permission, else both "data1" & "data2" are returned. Currently, when I get child "Data", both are return.

then it will be permission deny when I try to read Data node — Hoang Trung, Sep 07 '17 at 13:08
from another question (https://stackoverflow.com/questions/14296625/restricting-child-field-access-with-security-rules) it seems that firebase doesn't allow "filtering" the data via the permissions. — mbehzad, Sep 07 '17 at 13:25

score 1 · Answer 1 · answered Sep 07 '17 at 12:59

1

According to the docs:

{
   "rules": {
     "foo": {
       // allows read to /foo/*
       ".read": "data.child('baz').val() === true",
       "bar": {
         /* ignored, since read was allowed already */
         ".read": false
       }
      }  
    }
}

if you allow read or write on a higher level (".read": true), it ignores other rules down the tree (".read": "root.child('Permissions').child(auth.uid).val() == 'admin'").

answered Sep 07 '17 at 12:59

mbehzad

3,758
3
22
29

do u have a solution for my problem? – Hoang Trung Sep 07 '17 at 13:10
1

i think you have to pull the data separately. `Data/data1` and `Data/data2` instead of `Data` – mbehzad Sep 07 '17 at 13:28

Firebase Database read whole node but depends on child node permission to return correct data

1 Answers1