Firebase security rules problems

Question

I have some problems making my security rules for firebase to work. I am getting a constant deny.

This is ideally how I want it to be structured. To make it easier to read the data. If a certain model does not exist. The user will be able to create a section for that car and put his post there. But when another user wants to post for the same car model. He will just add to the list of posts.

{
   "rules":{
      ".read":"auth != null",
      "Cars":{
         "$anyCar":{
            "$postName":{
               ".write":"auth != null",
               ".validate":"newData.hasChildren(['uid']) && newData.child('uid').isString() && newData.child('uid').val() == auth.uid"
            }
         }
      }
   }
}

This is how I implemented my rules for this database.

{
   "Volvo":{
      "-KM_nqDpB78ZM0SE485F":{
         "color":"-10053121",
         "comments":0,
         "date":10,
         "id":1231,
         "uid":"45738372-3b72-4328-aa99-a00c05482973",
         "rating":0,
         "topic":"Volvo is a safe car",
         "user":"Brahim"
      }
   }
}

This is the json I am trying with on the simulator. I am authenticated when I am using the simulator and I am trying it against the location /Cars.

Answer 1

According to your security rules, you are allowed to write into a post, but not create a new one

"$postName":{
  ".write":"auth != null",
  ".validate":"newData.hasChildren(['uid']) && newData.child('uid').isString() && newData.child('uid').val() == auth.uid"
        }

You should allow write access in the $anycar node and maybe only allow that particular user to edit a post

   {
   "rules":{
      ".read":"auth != null",
      "Cars":{
        "$anyCar":{
          ".write":"auth != null",
          "$postName":{
           ".write": "auth.uid == newData.child('uid').val()"
           ".validate":"newData.hasChildren(['uid']) && newData.child('uid').isString()"
          }
        }
      }
    }
  }