Having trouble with firebase rules

Question

I'm new to firebase and I want to do some rules and I don't know how to do it well. If someone can help me and explain to me how they work. That would be nice! So let's start!

This is my realtime database: Image of Database

And what I want to do is that only registered users in the app can read messages and user information. Also only that you cannot delete/edit a message if you aren't the user that sent the message. The same for user information if you aren't the user you can't modify anything only read. Sorry for my English.

How can I do that? With Firebase Rules.

My actual rules are:

{
  "rules": {
    ".read": "auth != null",
        ".write": "auth != null"
  }
}

I've tried with internet examples and StackOverflow examples but I couldn't have it done. So I left it like this.

Answer 1

So, First: In rules you have three standard parameters: "read","write" and "validate". You can build you rules to suit you database schema. Let`s do it:

{
  "rules":{
        "Messages":{
           // we will ad rules here leter
        },
        "Users":{
           // we will ad rules here leter
        },
        ".write":false,
        ".read":false
  }
}

Now we can set diffrent rules for "Message" node, and different for "Users" node. Last parameters are for root, we dont want user to set new node or read them, we want only to allow them read/write in upper two nodes. When user will be trying to read from Message nodes, rules will check "Root/Message" and look for rules there, rules in "Users" block wont affect this operation. Rules working cascade, this mean that if user find ruleswhich allow him to write, write operactions will be accepted by database, even if lower will be rules with forbit this.

In firebase rules you can use plenty of functions. First let`s protect "Users" node. to allow write only for authenticate user we will add something like this:

"Users":{
    $uid:{
         ".write": auith.uid == $uid,
         ".read": auth != null,
    },
    ".write": auth != null
}

With $ sign we can create variable, when users try to write/read in Root/Users/1234, $uid will take value 1234. With "auith.uid == $uid" we only allow user to write in their own nodes . We should also set write rules lower (in "Users" node) to allow users to add new child to this node.

For "Message" rules we will use hasChild() method, something like this:

"Message":{
    $messageUID:{
                ".write": data.child('uId').val() == auth.uid,
                ".validate": newData.hasChild('message') && newData.hasChild('name')..
    },
    ".write":root.child("Users").haschild(auth.uid),
    ".read":root.child("Users").haschild(auth.uid)
}

Here we`re setting that only user whose uid is in uId property can write in $messageUID node. ".validate" rules are checking if data after operations will having message child and name child (you can add more child ).

Rule ".write":root.child("Users").haschild(auth.uid) will only allow to write for user whose id exist in Users node.

All together we have:

{
 "rules":{
    "Messages":{
         "$messageUID":{
            ".write": "data.child('uId').val() == auth.uid",
            ".validate": "newData.hasChild('message') && 
                          newData.hasChild('name')"
         },
     ".write": "root.child('Users').hasChild(auth.uid)",
     ".read":"root.child('Users').hasChild(auth.uid)",
    },
    "Users":{
          "$uid":{
            ".write": "auth.uid == $uid",
            ".read": "auth != null",
          },
     ".write": "auth != null"
    },
    ".write":false,
    ".read":false
 }
}

I wasn't tested this rules so maybe you need to change something, but now you should better understand how to use rules and what you can do with them. Ask if something will be wrong