Firebase Security: read-only parent node, but writable child nodes

https://stackoverflow.com//questions/23057570

firebase
firebase-security

26-12-2019
|

Question

Can I have a read-only parent node, but allow write to its leaf node?

Use-case:

User parent Testimonial as children

I'd let authenticated user to read their own user object, but allow them write testimonials to other user.

Or shoud it be down as two parent level nodes with user id linked?

Thanks.

Solution

Yes - you can.

Setup the more restrictive .write rule at the parent rule, but then setup a less restrictive .write rule at the leaf node.

For example:

{
   "root": {
       "parent": {
            "$user": {
                 ".write": false,
                 ".read": true,                    
                 "leaf": {
                     ".write": true
                 }
             }
       }
}

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow