Firebase rules - read and write does not work the same

Question

I'm trying to use "read" and "write" rules in a simple manner, It seems like the same conditions results in different behavior for each of them.

my rules :

{
    "rules": {
        ".read": true,
        ".write": false,
        "chat": {
            ".write": true
        },
        "users": {
            "$user_id": {
                 ".read": "$user_id === auth.uid",
                 ".write": "$user_id === auth.uid"
            }
        }
    }

write response from the simulator:

Attempt to write {"key":"value"} to /users/1 with auth={"provider":"anonymous","uid":"1234"}
    /:.write: "false"
        => false
    /users
    /users/1:.write: "$user_id === auth.uid"
        => false

No .write rule allowed the operation.
Write was denied.

read response from the simulator:

Attempt to read /users/1 with auth={"provider":"anonymous","uid":"1234"}
    /: "true"
        => true

Read was allowed.

why?

Answer 1

On the top level of your rules, you're allowing reads and disallowing writes.

{
    "rules": {
        ".read": true,
        ".write": false,

Firebase rules work topdown: once you allow something on a certain level, you cannot take it away on a lower level. The Firebase documentation says this about it:

This is a critical concept of understanding Security and Firebase Rules. The child rules can only grant additional privileges to what parent nodes have already declared. They cannot revoke a read or write privilege.

So your top-level ".read": true, supersedes any read rules you put on a lower level.