Properties with only read/write false rules are omitted - even if sibling to wildcard property.

[fabiozaffani]

Firebase work in a permissive mode by default (everyone allowed to read and write anything) I always set the paths and objects to read and write to false. However doing that inside a *.bolt file will translate to nothing. Let's use the following rules as an example:

path / {
    read() = false;
    write() = false;
}

Nothing get's generated in the resulting json file, the desired effect, however, should be

{
  "rules": {
    ".read": "false",
    ".write": "false"
  }
}

[fabiozaffani]

Just an update with a temporary workaround, for now i'm using the following statement to emulate the "false".

path / {
    read() = 1 == 0;
    write() = 1 == 0;
}

which will translate to

{
  "rules": {
    ".read": "1==0",
    ".write": "1==0"
  }
}

Since firebase will parse the value inside the ".read" and ".write" attributes, the statement "1==0" will be falsy.

[mckoss]

Firebase is read==false and write==false by default, so there is no need for this.

[jacob-israel-turner]

There is a need for this. I want to make only one key un-readable and un-writable, but every sibling key readable and writable when authed. @fabiozaffani's workaround makes this possible, but compiling write() = false should be an option.

[mckoss]

write() = false is a NO-OP in Firebase (JSON) rules. This is because all write rules are OR-ed together in the hierarchy - there is no way to make a child property unwritable when it has already been made writable by a parent rule.

[jacob-israel-turner]

I'm not talking about parent keys, but siblings.

path /parent {
  read() = auth !== null;
  /someKey {
    write() = false; 
  }
  /$all_other_keys {
    write() = auth !== null;
  }
}

I want to make someKey unwritable, but every other key writable if you're authed. This compiles to:

"parent": {
  "someKey": {
    "$all_other_keys": {
      ".write": "auth != null"
    }
  },
  ".read": "auth != null"
}

Which makes every key (including someKey) writable with auth.

I've realized that our model was actually different, so this doesn't affect me now. But it could certainly match a future use-case.

The best solution I can see would be to correctly compile write() = false. The write() = 0 == 1 workaround should work as well. Correct me if there is currently another, better way to do this.

[mckoss]

Ah! Now I see - thanks for the example.

Since someKey is omitted (by Bolt), it is shadowed by a sibling WILDCARD rule! You current example compiles to:

{
  "rules": {
    "parent": {
      "$all_other_keys": {
        ".write": "auth != null"
      },
      ".read": "auth != null"
    }
  }
}

What is wanted is:

{
  "rules": {
    "parent": {
      "someKey": {
         ".write": "false"
      }
      "$all_other_keys": {
        ".write": "auth != null"
      },
      ".read": "auth != null"
    }
  }
}

[jacob-israel-turner]

Uh, then I'm confused.

From my understanding, $all_other_keys is an alias for every key under parent, meaning, if I have the data:

{
  "parent": {
    "this_is_a_key": "foo",
    "someKey": "bar",
    "this_is_another_key": "baz"
  }
}

then all three keys (this_is_a_key, someKey, and this_is_another_key) will now be writable (if authed), given the rules that you just posted.

Am I missing something?

[mckoss]

(I edited my last response - I get it now!)

[jacob-israel-turner]

Ah yes, exactly. :)

[mckoss]

Another work-around is to apply a type to someKey - which will emit a node for it in the JSON tree:

path /parent {
  read() = auth !== null;
  /someKey is String;
  /$all_other_keys {
    write() = auth != null;
  }
}

Generates

{
  "rules": {
    "parent": {
      "someKey": {
        ".validate": "newData.isString()"
      },
      "$all_other_keys": {
        ".write": "auth != null"
      },
      ".read": "auth != null"
    }
  }
}