How to set firebase read rule and read all siblings if one matches

Question

I have set my firebase rules as follows:

    {
  "rules": {"users": {
       "$uid": {
         ".read": "auth != null",
        ".write": "$uid === auth.uid"

    }}
  }
}

Which allows write only to the node with matching uid and read all child nodes of every uid. But I want it to be like if I query using a child node under uid, only the matching child and it's siblings can be read...

for example this is my json structure:

 {
"users" : {

      "AJkK4yZJsoseeefrJ7i6KIOUBDghtrhgthrtDi1" : {
        "lat" : 20.5001,
        "long" : 68.3755,
        "number" : "9876543210",
        "time" : 1499599788090
      }
    }
}

I want to query using the number, and set the read rule as can read lat long and time only where the number matches. How to write the rule?

update: my question now is, how to query the database using number and get other siblings if value of number matches in android? I have tried this but not working:}

  friend = mDatabase.getReference("users");
  friend.keepSynced(true);


  Query z = LocationActivity.this.friend.orderByChild("number").equalTo("9876054321");

  z.addListenerForSingleValueEvent((new ValueEventListener() {
        long lastseen;
        public void onDataChange(DataSnapshot dataSnapshot) {
            try {
                for (DataSnapshot zoneSnapshot: dataSnapshot.getChildren()) {
                    lastseen = (Long)zoneSnapshot.child("time").getValue();
                    friendLatitude = (Double) zoneSnapshot.child("lat").getValue();
                    friendLongitude = (Double) zoneSnapshot.child("long").getValue();
                }


            } catch (Exception e) {
            }}

it returns value null, any help would be appreciated.

Answer 1

Not exactly sure if this answers the question, but I found this post looking for the following solution with respect to Firebase Storage .. where I can control which sibling nodes are accessible:

  match /uploadRoot/{userId}/{uploadCategory}/{allPaths=**} {

      // allow read access for client upload/download
      allow read, write:
        if request.auth != null
          && request.auth.uid == userId
          && (
              uploadCategory == 'userTextFiles'
              || uploadCategory == 'userImages'
            );

Answer 2

Firebase read permissions are enforced when you attach a listener. In order to query a node, you must have read permission on that node (as Bradley also explained). So in order to be able to query users, you must have read permission on /users. And since any user that has read permission to /users can also read any data under that, you cannot use security rules to filter what nodes a user has access to.

This is known as rules are not filters and is one of the common pitfalls for developers new to Firebase security model. I recommend that you read the documentation I linked already and some of the many questions/answer about the topic.

The simplest solution for your use-case seem to be to pull up the .read rule to users:

{
  "rules": {
    "users": {
      ".read": "auth != null",
      "$uid": {
        ".write": "$uid === auth.uid"
      }
    }
  }
}

}

Answer 3

In order to query every node, the user needs to have read permission for ALL nodes under the parent.

This is because security rules cannot be used to query data in Firebase.