I'm having a hard time figuring out how the Firebase rules should be in order for me to restrict the reading/writing as I'd like.
I'm working on a queue system in Firebase, where the structure is as follows
"eventQueues": {
"event1": {
"owner": "simplelogin:1",
"queue": {
"simplelogin:2": {"someinfo": "..."},
"simplelogin:3": {"someinfo": "..."},
"simplelogin:4": {"someinfo": "..."}
}
},
"event2": {...},
...
}
I would like to achieve the following:
Anybody can read the data
".read": trueAny user can create (and edit any part of) an event and but has to be the owner of it.
I believe this can be achieved by:
".write" : "auth != null &&
(data.child('owner').val() == auth.uid ||
newData.child('owner').val() == auth.uid)"
- Any user can add their own entry to the queue of an event but may not change anything else in the queue, nor remove themselves from the queue.
This is where I am having trouble, and the best I have been able to come up with is the following (which will be combined with the write-rule above)
".write": "!data.child(auth.uid).exists()"
But as far as I can tell, this still allows the users to write to anything but the queue-entry corresponding to their own uid.
So can I in any way make a rule that allows non-event-owners only to add themselves to the queue, and nothing else?