0
0
Firebasecloud~20 mins

Realtime Database security rules in Firebase - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Realtime Database Security Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
service_behavior
intermediate
2:00remaining
Understanding Read Access in Realtime Database Rules

Given the following Firebase Realtime Database security rule snippet, what will happen when an unauthenticated user tries to read data at /messages?

{
  "rules": {
    "messages": {
      ".read": "auth != null",
      ".write": "auth != null"
    }
  }
}
AThe read request will be allowed only if the user has a verified email.
BThe read request will be allowed because read rules are open by default.
CThe read request will be denied because the user is not authenticated.
DThe read request will be denied because write permission is required for reading.
Attempts:
2 left
💡 Hint

Check the condition for .read and what auth != null means.

Configuration
intermediate
2:00remaining
Rule to Allow Writes Only by Owner

Which of the following Firebase Realtime Database security rules correctly allows write access only if the authenticated user's UID matches the ownerId field in the data being written at /posts/{postId}?

A
{
  "rules": {
    "posts": {
      "$postId": {
        ".write": "auth != null && auth.uid == newData.child('ownerId').val()"
      }
    }
  }
}
B
{
  "rules": {
    "posts": {
      "$postId": {
        ".write": "auth != null && auth.uid == data.child('ownerId').val()"
      }
    }
  }
}
C
{
  "rules": {
    "posts": {
      "$postId": {
        ".write": "auth != null && auth.uid == $postId"
      }
    }
  }
}
D
{
  "rules": {
    "posts": {
      "$postId": {
        ".write": "auth != null && data.exists() && auth.uid == data.child('ownerId').val()"
      }
    }
  }
}
Attempts:
2 left
💡 Hint

Remember that newData refers to the incoming data being written, while data refers to existing data.

Architecture
advanced
2:00remaining
Designing Rules for Public Read and Owner-Only Write

You want to design Firebase Realtime Database rules for /profiles/{userId} so that:

  • Anyone can read any profile.
  • Only the profile owner can write to their profile.

Which rule set below correctly implements this?

A
{
  "rules": {
    "profiles": {
      "$userId": {
        ".read": "true",
        ".write": "auth != null && auth.uid == data.child('userId').val()"
      }
    }
  }
}
B
{
  "rules": {
    "profiles": {
      "$userId": {
        ".read": "auth != null",
        ".write": "auth != null && auth.uid == $userId"
      }
    }
  }
}
C
{
  "rules": {
    "profiles": {
      "$userId": {
        ".read": "true",
        ".write": "auth != null && auth.uid == newData.child('userId').val()"
      }
    }
  }
}
D
{
  "rules": {
    "profiles": {
      "$userId": {
        ".read": "true",
        ".write": "auth != null && auth.uid == $userId"
      }
    }
  }
}
Attempts:
2 left
💡 Hint

Check which variable holds the user ID in the path and how to allow public read.

security
advanced
2:00remaining
Identifying a Security Risk in Realtime Database Rules

Consider the following Firebase Realtime Database security rules:

{
  "rules": {
    "orders": {
      ".read": "auth != null",
      ".write": "true"
    }
  }
}

What is the main security risk with these rules?

AOnly authenticated users can read orders, but anyone can write, risking data tampering.
BOnly authenticated users can write, but read is open to all.
CNo one can read or write orders because the rules are contradictory.
DAnyone can write to the orders node, even unauthenticated users.
Attempts:
2 left
💡 Hint

Look at the .write rule and who it allows.

Best Practice
expert
2:00remaining
Optimizing Realtime Database Rules for Performance and Security

You have a large Firebase Realtime Database with many nested nodes. You want to write security rules that:

  • Minimize rule evaluation time.
  • Prevent unauthorized access efficiently.

Which approach below follows best practices for writing efficient and secure rules?

AUse <code>true</code> for most rules to reduce evaluation time and rely on client-side checks.
BWrite specific rules at each node level, avoiding deep nesting and using path variables for ownership checks.
CWrite broad rules at the root level with complex conditions to cover all nodes.
DDuplicate rules in multiple places to ensure coverage, even if it increases rule size.
Attempts:
2 left
💡 Hint

Think about how Firebase evaluates rules and the impact of rule complexity.