Firebase Security Rules: Allow Read Only One Field

Question

Firebase Security Rules: Allow Read Only One Field

In my Firebase security rules, I want anonymous users to be able to read anything but one field ( secret_field ):

 { "rules": { ".read": true, ".write": "auth != null", "stuff" : { "$stuffID" : { "secret_field" : { ".read" : "auth != null" } } } } }

However, in Firebase, if a read rule on the path to secret_field evaluates to true, read access is granted on the secret field .

Is there any way to undo this behavior? (If any read rule on the path to secret_field evaluates to false, deny read access)

+4

firebase

Marvin killing Jan 30 '13 at 1:56

source share

1 answer

Michael Lehenbauer · Accepted Answer · 2013-01-30T03:19:04+0000

You cannot change the behavior, but you can solve this by introducing a “container” for public fields and setting its .read value to true. For instance:

 { "rules": { "stuff" : { "$stuffID" : { "public" : { ".read": true }, "secret_field" : { ".read" : "auth != null" } } } } }

And then everything under ... / public / is accessible to everyone, but ... / secret _field is available only to authenticated users.

Firebase Security Rules: Allow Read Only One Field

More articles: