Firebase security - newData() as a parameter of hasChildren() expression

Question

I want allow users to create their account only if they have a token(invitation). In my firebase Security i have:

{
"rules": {
  ".read": false,
  ".write": false,
  "users": {
    // allow to write if in the invitations there is child equal to token from newData()
    ".write":"root.child('invitations').hasChild(newData.child('token').val())",  
  },
 "invitations":{
   "$invitation":{
     ".read": "true"
   }
  }
}

}

as is in the comment i want allow to write if in the invitations there is child equal to token from newData().

From Simulator:

Attempt to write {"token":"evl6yky3vi0pmn29","name":"John"} to /users/99 with auth=null
/:.write: "false"
    => false
/users:.write: "root.child('invitations').hasChild(newData.child('token').val())"
6:52: hasChild() expects a string argument.
    => false
/users/99:<no rules>

how should I do this?

Answer 1

You've almost got it perfect. The only flaw here is that you're trying to write to users/99, but you've put the rule on users/.

Presumably, you meant this:

"users": {
   "$user_id": {
      // allow to write if in the invitations there is child equal to token from newData()
      ".write":"root.child('invitations').hasChild(newData.child('token').val())",  
   }
},