firebase limit read to individual children but not to parent

https://stackoverflow.com/questions/17383168

firebase
firebase-security

01-06-2022
|

Pregunta

I have a firebase location with all of my app's stored messages as child objects.

I want clients to be able to get each message if they know the id of the message but not download the entire messages table.

What would the security rule for this look like?

Thanks.

Solución

You can disallow a read on the parent, but allow reads if the ID is known:

"rules": {
  "messages": {
    // Disallow enumerating list of messages
    ".read": false,
    ".write": false,
    "$messageID": {
      // If you know the messageID you can read the message.
      ".read": true,
      // Cannot overwrite existing messages (optional).
      ".write": "!data.exists()"
    }
  }
}

See https://github.com/firebase/firepano for an example app that uses unguessable URLs for security.

Licenciado bajo: CC-BY-SA con atribución

No afiliado a StackOverflow