Security rules cannot be used as data filters. You can't just read the entire posts path and expect to only retrieve the records you're allowed to see. Instead, you need to architect your data in a manner that you can read the whole path, or store an index of which records are viewable and fetch them separately.
For example, store the records by group ids or by user ids:
/posts/$group/data...
/posts/$user/data...
And then you can ensure your users have permissions by assigning them to appropriate groups, and simply fetching the messages for those groups:
var ref = new Firebase(base + '/posts/' + GROUP_ID);
var posts = $firebaseArray(ref);
Or you can create an index of messages each user/group/etc may view:
/posts/$post_id/data...
/posts_i_can_view/$user_id/$post_id/true
And fetch them individually from the master list. A tool like Firebase-util will make this much simpler:
var fb = new Firebase(base);
var ref = Firebase.util.NormalizedCollection(
fb.child('posts_i_can_view/'+USER_ID),
fb.child('posts')
)
.select('posts.message', 'posts.user_id')
.ref();
var posts = $firebaseArray(ref);
Further reading on Firebase data structures:
https://www.firebase.com/docs/web/guide/structuring-data.html https://www.firebase.com/docs/web/guide/understanding-data.html https://www.firebase.com/blog/2013-04-12-denormalizing-is-normal.html