Firebase Security & Rules, How can I let users delete their own data?

Question

My data in firebase looks like this, in my web app everyone who accesses it gets authenticated anonymously via firebase, and their UID is stored with every post the user creates:

  "-KF5N2V_dKD1dMHebUqc" : {
    "note" : "Hello everybody",
    "pos" : {
      "lat" : 40.3628851,
      "lng" : -74.0493175
    },
    "time" : 1460395853884,
    "uid" : "f8cf7863-5607-4e2b-97d7-6a121261466c"
  },
  "-KHwyP-tnWNOA3nxzEm4" : {
    "note" : "hi",
    "pos" : {
      "lat" : 37.0947156,
      "lng" : -121.0179501
    },
    "time" : 1463459362615,
    "uid" : "f8cf7863-5607-4e2b-97d7-6a121261466c"
  }

I want my firebase rules setup so that only anonymous users can delete their through own posts.

So far i was only able to come up with this after reading the firebase documentation:

{
    "rules": {
      ".read": "auth != null",
      ".write": "auth != null",
      "$msg": {
        ".validate": "newData.hasChildren(['note','time','uid','pos']) 
          && newData.child('note').isString() && newData.child('time').isNumber() 
          && newData.child('uid').isString() && newData.child('note').isString()
          && newData.child('pos/lat').isNumber() && newData.child('pos/lng').isNumber()"
      }
    }
}

Answer 1

You'll need to move the .write permission down and tie it to the data:

{
    "rules": {
      ".read": "auth != null",
      "$msg": {
        ".write": "!data.exists() || (!newData.exists() && data.child('uid').val() === auth.uid)"
        ".validate": "..."
      }
    }
}

It's a bit of mix-and-match from these two sections of the Firebase documentation:

• https://www.firebase.com/docs/security/guide/securing-data.html#section-data-variables

• https://www.firebase.com/docs/security/guide/user-security.html