1

I have a node inside my app that users can write to but they can't read to.

let specialNodeRef = dbRef.child("specialNode").childByAutoId()
specialNodeRef.updateChildValues(dict)

Is there a way I can set the rules so that only admin can read from that node even though the rules are set to false outside of using the console?

{
  "rules": {
    "users": {
      "$uid": {
        ".read": "auth.uid == $uid",
        ".write": "auth.uid == $uid"
      }
    },
    "specialNode": {
        ".read": false, // users can't read but admin can
        ".write": "auth.uid != null"
    }
  }
}
Lance Samaria
  • 17,576
  • 18
  • 108
  • 256

1 Answers1

4

Users running the Firebase Admin SDK, or accessing the database through the Firebase console, access the database with administrative privileges. They can always read/write, so are not affected by the ".read": false.

If you want to declare one/some of the users of your application as having specific privileges, you can include their Firebase Authentication UID in the rules:

".read": "auth.uid = 'uidOfLance'"

A bit more flexible is to store the UID of each such user in the database in a form like:

"admins": {
  "uidOfLance": true,
  "uidOfPuf": true
}

You can then check for the UID in your security rules: 

".read": "root.child('admins').child(auth.uid).exists()"
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • If I'm running the app on my device and I want to bypass the rules how do I go about doing that? That's the part I'm lost at. Basically on m device I can also write to that node but I can read from too. I want to avoid the console for that part. – Lance Samaria May 30 '18 at 01:12
  • I think we might be talking about a different "administrator" here. What defines an administrator for your app? Is it just you yourself, as in a Firebase Authentication user with a specific UID? – Frank van Puffelen May 30 '18 at 01:19
  • Yes exactly, I apologize for not being clear. I'm the only person who has access to the db. Ahhhh I see where your going with this. I can do something like: "specialNode": { ".read": "false || auth.uid === 'mySpecificUID'", ".write": "auth.uid != null" } – Lance Samaria May 30 '18 at 01:22
  • Yup, that's the simplest way. Alternatively make a list of such UIDs (e.g. store `"uidOfLance": true` under `/admins`) and then check in rules: `".read": "root.child('admins').child(auth.uid).exists()"`. – Frank van Puffelen May 30 '18 at 03:02
  • Thank you very much for the much assisted help! :) – Lance Samaria May 30 '18 at 03:03
  • I like the idea you posted because it works well if someone has a team of people they want to have admin bypass privileges. Very good idea. I’m surprised I haven’t seen any other answers like this. – Lance Samaria May 30 '18 at 07:23
  • hi, I have a new requirement where admin (myself and a few others) wants to read from the users node, would it go like this: **"users": { "$uid": { ".read": "auth.uid == $uid || root.child('admins').child(auth.uid).exists()", ".write": "auth.uid == $uid" } }** – Lance Samaria Dec 04 '19 at 18:49
  • That looks OK at first glance. If it doesn't work, please open a new question with a new [MCVE](http://stackoverflow.com/help/mcve). – Frank van Puffelen Dec 05 '19 at 00:24
  • Ok thanks. Either way I let you know the results by tomorrow morning. Thanks – Lance Samaria Dec 05 '19 at 01:17