Reputation: 330
Firebase-Database: deny in general but allow for specific path
I try to generate my Firebase-DB Rules and want to deny writing without Authentication in general and only allow it for a specific path. It gets published correctly but it does not work. http://myproject.firebaseio.com/test/foo
{
"rules": {
".read": true,
".write": "auth != null",
"foo":{
".write": "true"
}
}
}
UPDATE 1 OK, I found out that Rule-Cascading is making it impossible how I did it above, because
".write": "auth != null"
is preventing me from writing. How can I avoid that
Upvotes: 3
Views: 1107
Answers (1)
Reputation: 4564
The firebase rules cascade from the top down, so there's no way to block writing at a higher level, but allow it at a lower one. Here's a note right from the docs:
Note: Shallower security rules override rules at deeper paths. Child rules can only grant additional privileges to what parent nodes have already declared. They cannot revoke a read or write privilege.
You may need to restructure your data so that the foo object is at the top-level, which would let you have a different write rule on it.
Another option is to simply remove the write rule at the root and add it to any other root-level items that require an authenticated user.
Upvotes: 2
Related Questions
- How to make Firebase database rules so that you cannot query root /
- Firebase Security rules to restrict access on all paths but one?
- Firebase Rules - Allow Writing to a Certain Path in Realtime Database
- How to Restrict Read and Write to specific Firebase Node
- Prevent Empty Database Path using Firebase Rules
- firebase realtime db security rule to allow specific users
- Firebase - how to restrict authenticated user's access to certain paths?
- Firebase Database - prevent writing to all paths other than one specified
- Firebase Database rules - Give unauthenticated user access to ONLY read specific path
- How do I specify read access for known paths but disable enumeration in Firebase Database?