firebase realtime database query data works only for logged in user

Question

i have following security rules:

    {
      "rules": {
        "users": {
          ".read" : true,
          "$user_id": {
            ".read": true,
            ".write": "auth != null && $user_id === auth.uid"
          }
        }
      }
    }

My data looks like:

    {
    "users" : {
    "JIZW3KswDDMggo9U1WwCoIamHaU2" : {
      "-L8s34CZsCgodNxgF09G" : {
        "email" : "lmn@yahoo.co.in",
        "isAdmin" : true,
        "name" : "Mannu Sharma",
      },
"UKtLdQzPdWa2KJ10iXrjuV80JSd2" : {
      "-L8LTf95dxqQdjYHhFDB" : {
        "email" : "pqr@gmail.com",
        "name" : "Neeti Singhal"
      }
    },
    "YQCXFjnU8jaXR9xUXIgknp18Z3A3" : {
      "-L8TQTFiGLEuxCTbbrQ7" : {
        "email" : "abcd@gmail.com",
        "name" : "John Teslie",

      }
    }
    }

My angularfire2 code to query data is:

getUserByEmail(email:string){
    console.log("start of getUserByEmail with email:" + email)
    return new Promise((resolve, reject) =>
      {

        this.db.list("/users", 
          ref => ref.orderByChild('email').equalTo(email)
        ).valueChanges().subscribe(
          res => {
            console.log('response:' + JSON.stringify(res))
            resolve(res)
          },
          err => {
            console.log(err)
            reject(err)
          }
        )
      })
  }

I have login with facebook implemented. So when i login with my email abcd@gmail.com and do the search it returns me my record. But any other search does not work.

To my understanding my security rule let anyone query the users data. So what I am missing?

Answer 1

Your data is double-nested: you have /users/$uid/$pushId. That last level is not needed, and means that you can't query for a user by their email. For more on this general case see Firebase Query Double Nested.

But in this case the fix is quite simple: I don't think you need the level with the push IDs (-L....) in your JSON. You're likely adding the user data by calling push(), which isn't needed. Remove the call to push(), probably use set() it its stead, and you should lose that extra level in the JSON tree. With that level gone, you can query /users by the email property of each user.