How to set Firebase Realtime database rules to read only child node?

Question

I have a node called profiles that have a list of id's. I want to allow read access to the child nodes only and prevent reading all profiles.

This is what I have in rules, but it allow to read all profiles.

{
  "rules": {
      "profiles":{
        ".read": true,
        ".write": false  
      }
  }
}

and this is what I have under profiles

{
  "1" : {
    "id" : "1",
    "name" : "test1"
  },
  "2" : {
    "id" : "1",
    "name" : "test2"
  }
}

Frank van Puffelen · Accepted Answer

Typically you'll store each user's profile under a key that has the value of their Firebase Authentication UID. So:

{
  "profiles": {
    "uidOfUser1": {
      "id" : "1",
      "name" : "test1"
    }
    "uidOfUser2": {
      "id" : "2",
      "name" : "test2"
    }
  }
}

In that case you can secure it with these rules:

{
  "rules": {
    "profiles": {
      "$user_id": {
        // grants read access to the owner of this user account
        // whose uid must exactly match the key ($user_id)
        ".read": "$user_id === auth.uid"
      }
    }
  }
}

In the security rules the value of auth.uid is the UID of the user that is currently signed in to Firebase Authentication. There is no way to spoof this value, so it's a great way to secure data access. The above rules allow a user to read a specific profile when their auth.uid matches the key of the profile. So uidOfUser1 or uidOfUser2.

Also check out the Firebase documentation on securing user data, which describes it in more detail.

How to set Firebase Realtime database rules to read only child node?

Answers (1)

Related Questions