Firebase Security Rules: Public vs. Private Data

Question

I have a collection of signatures where each signature has a few properties: public: fullname, city and then email.

I want to keep the email property private and I've been struggling with writing the correct rules to only return fullname and city. Here is what my rules.json looks like so far:

{
    "rules": {
        "signatures": {
            "$signatureID": {
                "public": {
                    ".read": true
                },
                "email": {
                    ".read": false
                }
            }
        }
    }
}

When I go to the /signatures end point, I would like to receive an array of signatures with the public data and not receive the email addresses.

So far I haven't had any luck getting this to work the way I want it to. Am I doing something wrong? Should I structure my data differently?

Answer 1

With respect to security rules, Firebase operations are all-or-nothing.

As a result, attempting to load all of the data at /signatures will fail because your client does not have permission to read all of the data at that location, though you do have permission to read some of the data there. Similarly, writing to a location behaves the same way, and full permission is required before your operation will continue.

To handle this use case, consider restructuring your data like this:

{
  "rules": {
    ".read": false,
    ".write": false, 
    "signatures-public": {
      ".read": true,
      "$signatureID": {
        // ... public data here
      }
    },
    "signatures-private": {
      "$signatureID": {
        // ... private data here
      }
    }
  }
}