Firebasecloud~30 mins

Realtime Database security rules in Firebase - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Realtime Database Security Rules

📖 Scenario: You are building a simple chat app using Firebase Realtime Database. You want to make sure that users can only read and write their own messages to keep conversations private and secure.

🎯 Goal: Create Firebase Realtime Database security rules that allow users to read and write only their own messages under the /messages/{userId} path. Users should not access other users' messages.

📋 What You'll Learn

Create a root rules object

Allow read and write only if the authenticated user's UID matches the {userId} in the database path

Deny all other access

💡 Why This Matters

🌍 Real World

Realtime Database security rules protect user data in apps like chat, social media, and collaboration tools.

💼 Career

Understanding and writing security rules is essential for Firebase developers and cloud engineers to secure data and comply with privacy requirements.

Progress0 / 4 steps

Create the root rules object

Create a root rules object with an empty messages child object in the Firebase Realtime Database security rules.

Firebase

{
  "rules": {
    "messages": {
      
    }
  }
}
// Your code here

Need a hint?

Start by defining the rules object and add an empty messages child object inside it.

Add a wildcard {userId} under messages

Inside the messages object, add a wildcard key called {userId} to represent each user's message node.

Firebase

{
  "rules": {
    "messages": {
      "{userId}": {
        
      }
    }
  }
}
// Your code here

Need a hint?

Use curly braces {} to define a wildcard key for user IDs.

Add read and write rules to allow only the authenticated user

Inside the {userId} object, add .read and .write rules that allow access only if auth != null and auth.uid == userId.

Firebase

{
  "rules": {
    "messages": {
      "{userId}": {
        ".read": "",
        ".write": ""
      }
    }
  }
}
// Your code here

Need a hint?

Use auth.uid == userId to check if the user is accessing their own data.

Deny all other access by default

Add a default rule at the root level to deny all reads and writes that do not match the above rules.

Firebase

{
  "rules": {
    "messages": {
      "{userId}": {
        ".read": "auth != null && auth.uid == userId",
        ".write": "auth != null && auth.uid == userId"
      }
    },
    ".read": false,
    ".write": false
  }
}
// Your code here

Need a hint?

Set .read and .write to false at the root to deny all other access.