Reputation: 1472
Firebase real-time database rules granularity
I know from documentation that Firebase's Realtime Database has a set of rules types like .write and .read
My question is: what about a more specific needs? Like, what if I have to grant a user not only about he can/not write, but if he can write to create, or write to edit, or write to delete? Can FRB rules distinguish from this different types in order to let me regulate them?
Upvotes: 0
Views: 88
Answers (1)
Reputation: 5840
Yes, you can do this. In the Real-Time Database, you can use the .validate rule to determine if you want to allow an operation. So if you want to allow a user to write, but only to delete (for example), you could do something like this:
{
"rules": {
"posts": {
"$postId": {
// Anyone can read
".read": true,
// Some write condition
".write": ...,
// User can only write to create or delete, not edit
".validate": "!data.exists() || !newData.exists()"
}
}
}
}
In this case, the user can only write to the RTDB if !data.exists() - ie, to create new if the data before the operation runs doesn't exist - or if !newData.exists() - ie, to delete if, after the operation, the new data in this record no longer exists.
You can combine these rules for very fine-grained control of your data and access. If you need more access control beyond what you get with RTDB security rules, you can lock the data down with RTDB rules and the create Cloud Functions to access and modify RTDB with server-side logic and processing.
Also check out: https://firebase.google.com/docs/rules/rules-language?authuser=0#rule_constructs
Upvotes: 2
Related Questions
- Secure Firebase Rules
- Firebase Real-time DB Security Rules
- Firebase Realtime Database - Rules
- Firebase Database 'Strong' rules
- Firebase Realtime Database Rule
- Firebase database security rules
- Firebase rules & security
- Firebase complex rules
- Firebase Database Rules
- Firebase Realtime Database rules