Why am i getting permission denied in firebase?

Question

I am using angularfire and doing a bulk update in the realtime database

instead of writing the complete path to the specified object I write the parents and the data I pass contains the rest of the path

for example let's say I have a path like root/$date/$uid/myObject

I specify in the rules

{
  "rules": {
    "root" : {
      "$date" : {
        "$uid": {
          ".read": true,
          ".write" : "auth.uid === $uid && $date.matches(/someregex/)"
        }
     }
  }
}

and in angularfire I do the following

const data = {
 "12-03-2020": {
   "my-user-id": {
      data: "hello world!"
   }
 }
 "12-04-1236": {
   "my-user-id": {
      data: "hello world!"
   }
 },
 "12-06-1960": {
   "my-user-id": null
 },
}

this.db.object('root').update(data).then(...)

when writing the full path in the rule tester everything works fine but when trying it on my app i get Permission Denied also the method is working when setting write to true

Answer 1

An update statement is executed as essentially a list of set statements of each top-level key in the update object. This means that your code is trying to write to root/12-03-2020, root/12-04-1236 and root/12-06-1960 and doesn't have write permission there.

It is possible to perform deep updates of specific properties, but you will have to specify the paths to the properties in the key. So the JSON in your question would fold into this structure to perform deep updates of (only) those specific values:

const data = {
 "12-03-2020/my-user-id/data": "hello world!",
 "12-04-1236/my-user-id/data": "hello world!"
 "12-06-1960/my-user-id": null
}
...