Firebase Database rules ignore child rule

Question

I am trying to add a simple rule to firebase database. the child node activities have proper access but the leads don't. if I sent the parent read true and then child rules are ignored. how can I set parent true to public but child restricted?

    {
  "rules": {
    "leads": {
      "$activity": {
        ".read": 
    "root.child('users_business_activities').
    child(auth.uid).hasChild(data.child('category').val())",
        ".write" : 
    "root.child('users').child(auth.uid).child('isAdmin').val() == true"
      }
    },
    "users": {
      "$uid": {
        ".read": "auth.uid == true",
        ".write": "auth.uid == $uid"
      }
    },
    "business_activities": {
        ".read": "auth.uid == true",
        ".write": "false"
    }
  }
}

Answer 1

In the Firebase Realtime Database permissions cascade downwards. Once you give a user read permission on /leads, you can't take that permission away lower in the JSON tree.

This has a few consequences:

• Security rules cannot be used to filter data. This is known as rules are not filters in the Firebase documentation. I also recommend reading some of the many existing questions on this topic.
• You will often need to create a lookup list of the activity IDs that a user has access to. Such a lookup list is often known as an "index" in Firebase terms. The documentation on creating scalable data structures has a good example of such a structure.
• If part of the data for an activity/lead needs to be publicly readable, and part needs to remain private, you'll want to split the public and private parts into separate top-level nodes. This splitting is known as flattening you data structure in the docs. I also gave an answer here to show how to use this for user profile information.