Restricting child/field access with security rules

Question

I\'m writing an app that allows users to submit nominations which are moderated before being displayed to other users. This requires a number of restrictions I\'ve so far be

Answer 1

If I fully grok the way security rules work (I'm just learning them myself), then when any one rule allows access, access is granted. Thus, they are read as follows:

• nominations ".read": true, ACCESS GRANTED
• other rules: not read

Furthermore, if that rule is removed, $nominationId ".read" grants access if the record is approved; therefore, the .read in phone and state become superfluous whenever it's approved.

It would probably be simplest to break this down into public/ and private/ children, like so:

nominations/unapproved/          # only visible to logged in users
nominations/approved/            # visible to anyone (move record here after approval)
nominations/approved/public/     # things everyone can see
nominations/approved/restricted/ # things like phone number, which are restricted

UPDATE

Thinking this over even more, I think you'll still encounter an issue with making approved/ public, which will allow you to list the records, and having approved/restricted/ private. The restricted data might need its own path as well in this use case.