Realtime db Security Rules: allow only specific fields

Question

Let's say I have a Firebase Realtime database with the below data structure. And let's say I want to allow write access for uuid and content but not for locked. Is that possible to do with the Security Rules?

{
  "messages": { 
     "message1": {
        "uuid": "1234",
        "content": "Lorem ipsum",
        "locked": true
     }
  }
}

In Firestore you can do something like:

request.resource.data.keys().hasOnly(
  ['uuid', 'content']
)

Can the same be achieved for the Realtime Database?

Answer 1

The trick to only allow specific children, is to allow those children and reject all others. For your example, that'd be:

{
  "rules": {
    ".read": true,
    ".write": true,
    "messages": {
      "$messageid": {
        "uuid": {
          ".validate": true
        },
        "content": {
          ".validate": true
        },
        "locked": {
          ".validate": true
        },
        "$other": {
          ".validate": false
        },
      }
   }
  }
}

This allows writing the named uuid, content and locked properties, and rejects any other properties with a wildcard capture rule.

---

If you want to not allow changing the value of uuid, you can do that with:

"uuid": {
  ".validate": "newData.val() == data.val()
},

See the documentation on new vs existing dat

---

Also see:

• Firebase realtime database rules to edit only existing fields
• Firebase database rules allow update but prevent create
• Firebase Database - prevent writing to all paths other than one specified