Firebase db rule to prevent delete related to another node

Question

Assume that we have two nodes: "items" and "sales". How can I write a firebase db rule to prevent any item being deleted if it is related in another node. If a user wants to delete ("items\i01") it should not give permission because it is a relation under ("sales\s01\i01")

"items": {
   "i01": {
     "name": "item1"
   },
   "i02": {
     "name": "item2"
   },
}

"sales": {
   "s01": {
     "itemKey": "i01",
     "price": "45"
   },
   "s02": {
     "itemKey": "i02",
     "price": "60"
   },
   ...
}

Frank van Puffelen · Accepted Answer

Security rules can check whether data exists at a known path, but cannot perform searches for data across (a branch of) the JSON tree. So in your current data structure, there is no way to prevent the deletion of the item based on it still being referenced.

The typical solution would be to add a data structure that you can check in security rules to see if the item is still referenced anywhere. This would pretty much be an inverse of your current sales node, which tracks the items in a sale. The inverse node would track the sales for any item:

"sales_per_item": {
  "i01": {
    "s01": true
  },
  "i02": {
    "s02": true
  }
}

You will need to make sure that this new structure (sometimes called an inverted index) is updated to say in sync with sales, both in code and in security rules.

With that in place, you can then prevent deletion of an item that still has references with:

{
  "rules": {
    "items": {
      "$itemid": {
        ".write": "!newData.exists() && !newData.parent().parent().child('sales_per_item').child($itemid).exists()"
      }
    }
  }
}

As an alternative, you can consider moving the deletion logic into a Cloud Function, where you can do the "check for orders with the item" in code, instead of in security rules.

I also recommend reading these:

Firebase db rule to prevent delete related to another node

Answers (1)

Related Questions