Angularfire - How does the security rules match an email after it is logged in via password provider

Question

What I would like to achieve is prevent a logged in user (via "password" provider) from removing data, i.e. $remove().

var mod = angular.module("m", ["firebase"]);

mod.controller("ctrlA", function($scope, $firebase, $firebaseSimpleLogin){
    $scope.db = $firebase(new Firebase("https://projectdb.firebaseio.com"));
    $scope.login = $firebaseSimpleLogin(new Firebase("https://projectdb.firebaseio.com"));
    $scope.login.$login("password", {email: "sample@gmail.com", password: "123"}).then(
        function(user){ console.log(user); },
        function(error){ console.log(user); }
    );

    $scope.db.$remove("var1");        // var1 from database url specified above

});

It is confusing for me seeing online posts that mentions $user or auth=!null in the security rules. Under "Simple Login" UI in Admin Interface in Firebase, at "Registered Users", there is no username, only email and an id. So how can the Security Rules communicate with the "Registered Users" and therefore have security rules specified to them?

Answer 1

The auth variable in security rules corresponds to the token used in auth(). This is not specific to Simple Login or to the email/password provider. (Simple Login supports multiple authentication methods, not just this one). $user in your example refers to a $ variable.

Most of this is explained in the security rules overview and I'd highly recommend reading that and the quick start as a primer to working with security rules.

To prevent a user from removing data, simple add newData.exists(), which will ensure that it is not set to null (i.e. deleted).

{
  "rules": {
     "path_with_no_delete": {
        "$record": {
           ".write": "newData.exists()" // you probably want auth.id in here somewhere too
        }
     }
  }
}