Firebase Realtime database security rules - check other node

Question

I would like to secure data while allowing users the ability to fetch "notes" that belong to a "category" they have access to in a Firebase Realtime database. I would like to avoid duplicating and maintaining access entrys - the access is therefore only stored in the category. Only authors to a category should have access to "notes" in that category.

Database structure:

"categories" : {
  "category_001": {
    "access": {
      "author": "user-001"
    }
    "data" : {
      "title": "My first category"
    }
  }
}
"notes" : {
  "note_001": {
    "data" : {
      "note": "Hello world!",
      "categoryId": "category_001"
    }
  }
}

Firebase rule:

{
  "rules": {
    "notes": {
      ".read": "
        auth.uid !== null &&
        query.equalTo === auth.uid
      ",
      "data": {
        ".read": "
        root.child('categories').child('access').child('author').val() === auth.uid"
      }
    }
}

Incorrect database query (does not check access in categories):

database.ref("notes")
  .orderByChild("access/author")
  .equalTo(`${user.uid}`)
  .once('value', (snapshot) => {
    snapshot.forEach( (data) => {
      console.log("OWNER", data.val().data.title)
    })
})

How can I write the database query to check the "categories/category001" node for access - while reading the "notes"/note001" node?

Kind regards /K

Answer 1

This type of rule won't be possible, since you can't write the correct query.

Your current query:

database.ref("notes")
  .orderByChild("access/author")
  .equalTo(`${user.uid}`)

This is trying to read the access/author property of each note, and such a property doesn't exist. Firebase won't perform a join for you here, so the query will have to work on the information that is in the notes children.