Firebase authentication rule checks email

Question

I would like to only allow write permissions to authenticated users who have email addresses already in a user list.

My users list looks like this:

{
  "users" : {
    "-KeZg-MuD-4TEOiW9i0_" : {
      "email" : "example@gmail.com"
    }
  }
}

I've tried using rules like this:

"users": {
  ".write" : "root.child('users/email').val() === auth.token.email"
}
"users": {
  ".write" : "root.child('users.email').val() === auth.token.email"
}
"users": {
  ".write" : "root.child('users.email').child(auth.token.email).exists()"
}
"users": {
  ".write" : "root.child('users').child(auth.token.email).exists()"
}

But to no avail. When I try to add a new user like this, I still get a permission denied error:

firebase.database().ref('users').push({email: 'example@gmail.com'})

My snippets above are using example@gmail.com instead of the actual google authenticated user's email address, but the actual user is present in my users db list.

Answer 1

In the JSON you shared there is no path /users/email. So this rule will never be true:

root.child('users/email').val() === auth.token.email

You cannot in security rules search under a path for a specific value. You can check for the existence of a specific key though. See Firebase security rules to check unique value of a child #AskFirebase, Firebase android : make username unique or my answer in this #AskFirebase video: https://youtu.be/66lDSYtyils?t=6m15s.