Firebase RTD recursive security rule

Question

In my Firebase Realtime Database, I have a comment and reply structure as shown below.

{
  "post-comments": {
    "$postId": {
      "pushKey1": {
        "uid": "uid1",
        "text": "comment 1",
        "replies": {
          "pushKey2": {
            "uid": "uid2",
            "text": "reply 1",
            "replies": {
               ... and so on
            }
          }
        }
      }
    }
  }
}

All comments will be public to read. I would like to write a recursive security rule (since there can be any number of nested "replies" fields) that only lets a user:

• push if the new data has a matching auth.uid and uid field
• update a comment/reply if auth.uid matches the existing uid field
• deletion will be handled via soft-deletion, so it is essentially the same as an update

Is this possible? I did some googling, and this link came up as a search result: https://firebase.google.com/docs/rules/rules-behavior#recursive_wildcards, but that section of the page doesn't seem to exist anymore. Does this functionality still exist? Or is there another way to do this? If it matters, I'm using it client side with React.

Answer 1

It's a common pattern to see hierarchies like this from developers new to Realtime Database, since it supports hierarchies it makes sense to want to use them.

But there is no way to define recursive security rules like that.

It is also fairly uncommon to see a recursive data model in a mature Firebase app, precisely because it makes access control hard.

I'd recommend storing the comments in a flat list, with a parentId in there. Give the top-level comments a parentId of none or whatever other fixed value, and you can query all you need.