“Catch all other” Firebase database rule

Question

Perhaps I\'m tackling this problem too much from an SQL kind of perspective, but I\'m having troubles understanding how to properly restrict which children should be allowed

Answer 1

You're falling into a few common Firebase security pits here. The most common one is that permission cascades down: once you've granted read or write permission on a certain level in the tree, you cannot take that permission away at a lower level.

That means that these rules are ineffectual (since you've granted read/write one level higher already):

"$other": {
    ".read.": false,
    ".write": false,
}

To solve the problem you must realize that .validate rules are different: data is only considered valid when all validation rules are met. So you can reject the $other data with a validation rules:

{
    "rules": {
        "$product": {
            ".read": true,
            ".write": true,
            ".validate": "newData.hasChildren(['price'])",
            "price": {
                ".validate": "newData.isNumber()"
            },
            "$other": {
                ".validate": false
            }
        }
    }
}