firebase Database Rules How to allow reading specific item from group, but prevent listing group members
Example
It is common practice to create groups of items by creating simple value nodes with item ID as key. For example, we can add a user to the group "administrators" by creating a node at /administrators/$user_id with a value true. We don't want anyone to know who administrators are, for security reasons, but we still want to check if a Authenticated user is administrator. With these rules we can do just that:
{
"rules": {
"administrators": {
// No one can list administrators
".read": "false",
"$uid": {
// Authenticated user can check if they are in this group
".read": "$uid === auth.uid",
// Administrators can write
".write": "data.parent().child(auth.uid).val() === true",
// Allow only add or delete, no duplicates
".validate": "!data.exists() || !newData.exists() || newData.isBoolean()",
}
}
}
}
