Security rules for posting to a user's subdirectory in Firebase

Question

The following are my Firebase security rules:

security-rules.json

{
  "rules": {
    "users": {
      "$uid": {
        ".write": "auth.uid === $uid",
        ".read": "auth.uid === $uid"
      }
    }
  }
}

It works fine when my path ends with the users directory. As in:

https://my-firebase.firebaseio.com/users/my-user-id.json

But when I try to post directly to a subdirectory, as follows:

https://my-firebase.firebaseio.com/users/my-user-id/settings.json

it doesn't work.

Question

What do I need to do to the security-rules.json file (or anything else) to be able to write directly to a user's subdirectory?

Edit:

Someone suggested, "just extend your rule to include settings." So I tried this:

security-rules.json

{
  "rules": {
    "users": {
      "$uid": {
        ".write": "auth.uid === $uid",
        ".read": "auth.uid === $uid"
      },
      "settings": {
        ".write": "auth.uid === $uid",
        ".read": "auth.uid === $uid"
      }
    }
  }
}

Which throws the following error:

9:30: Unknown variable '$uid'.
10:31: Unknown variable '$uid'.

Answer 1

After further testing, I found the security rules contained in the OP also work in the simulator:

security-rules.json

{
  "rules": {
    "users": {
      "$uid": {
        ".write": "auth.uid === $uid",
        ".read": "auth.uid === $uid"
      }
    }
  }
}

There is no need to add additional rules for writing deeper into the node tree. The highest level permissions are sufficient.

Aside: My problem appears to be something other than the security rules I'm using. I must do more research, experimentation and testing.

Answer 2

This works in the simulator:

{
  "rules": {
    "users": {
      "$uid": {
        ".read": "auth != null && auth.uid == $uid",
        ".write": "auth != null && auth.uid == $uid",
        "settings": {
        }
      }
    }
  }
}