Working with Firebase permissions for making data readonly once created

Question

I am working on an eCommerce web app, I need to make orders on the database readonly once created that is prevent editing orders users generate even by site administrators.

I have this in my rules

"orders":{
    "$order": {
      ".read": "$order == auth.uid || auth.isAdmin == true",
        ".write": "$order == auth.uid && (data.child('orders').child($order).hasChildren(['items', 'datePlace', 'shipping', 'totalPriceOfOrder']) !== newData.hasChildren(['items', 'datePlace', 'shipping', 'totalPriceOfOrder'])"
     },
    ".read": "auth.isAdmin == true"
}

The purpose of this ($order == auth.uid || auth.isAdmin == true) in the ".write" at $order is the make sure that only signed in users can write into orders object and at at items with there uid as keys.

The purpose for the (data.child('orders').child($order).hasChildren(['items', 'datePlace', 'shipping', 'totalPriceOfOrder']) !== newData.hasChildren(['items', 'datePlace', 'shipping', 'totalPriceOfOrder']) is to ensure that this write is only possible if table does not previously exist.

This is not working and I don't know why it is not working.

Answer 1

This usually says that if auth.uid == $order, authenticated your can write into database or modify

".write": "$order == auth.uid && (data.child('orders').child($order).hasChildren(['items', 'datePlace', 'shipping', 'totalPriceOfOrder']) !== newData.hasChildren(['items', 'datePlace', 'shipping', 'totalPriceOfOrder'])"

For read only use

".read": "$order == auth.uid || auth.isAdmin == true"
".write": "!data.exists()"

The !data.exists() will allow you to write once to database and won't allow update or delete. User can read it but not update.