How to deny access to child nodes with Firebase realtime database?

Question

I'm trying to deny access to the "private" child node of my Firebase realtime database.

My database looks like this:

event
..1
....end: "2020-10-27T17:30:00"
....privateData
......phone: "01111111"
......title: "Meeting with John"
....start: "2020-10-27T17:00:00"

I would like to deny the access to the privateData node.

I learned that child nodes inherits from parents nodes so it makes it really tricky to only retrieve the "end" and "start" field in my json

My current rules (that are obviously wrong) are:

{
  "rules": {
    "event": {
      "$uid": {
        ".read": "true",
        "privateData": {
            ".read": "false"
        }
      }
    }
  }
}

The final process would be to retrieve all the Event without their privateData child node into my Angular App.

Angular App currently looks like this:

  eventsRef: AngularFireList<Event>;
  getBooking()
  {
    this.eventsRef = this.db.list('event');
    return this.eventsRef;
  }

Thank you very much for your time

Answer 1

As indicated in the doc:

Shallower security rules override rules at deeper paths. Child rules can only grant additional privileges to what parent nodes have already declared. They cannot revoke a read or write privilege.

One solution is to push your confidential data in another parent node, as follows:

event
..1
....end: "2020-10-27T17:30:00"
....start: "2020-10-27T17:00:00"
.....
event
..2
....end: "2020-10-29T17:30:00"
....start: "2020-10-29T17:00:00"
.....
// .....
// .....
// .....
eventPrivateData
..1       //  <=== Same id than the other (master) node
....privateData
......phone: "01111111"
......title: "Meeting with John"
..2
....privateData
......phone: "09999999"
......title: "Meeting with Sophie"

You can keep the different nodes in sync by using the update() method, from the frontend, or, from the backend, via a Cloud Function.