rules.json

{
  "rules": {
    // All data is readable by anyone.
    ".read": true,
    "people": {
      // A list of users with their names on the site.
      "$userid": {
        // Only the user can write their own entry into this list.
        ".write": "$userid ==auth.uid"
      }
    },
    "users": {
      "$userid": {
        // The user is allowed to write everything in their bucket.
        ".write": "$userid ==auth.uid",
        "following": {
          // The following list should only contain actual ids from the "people" list.
          "$followingid": {
            ".validate": "root.child('people').hasChild($followingid)"
          }
        },
        "followers": {
          // Anyone can add themself to to this user's followers list.
          "$followerid": {
            ".write": "$followerid ==auth.uid"
          }
        },
        "feed": {
          "$sparkid": {
            // User A can write in user B's feed, but only if A is following B, and only for sparks for which they are the author.
            ".write": "root.child('users/' + $userid + '/following').hasChild(auth.uid) && root.child('sparks/' + $sparkid + '/author').val() ==auth.uid"
          }
        }
      }
    },
    "sparks": {
      // A global list of sparks (the "firehose").
      "$sparkid": {
        // Modifying an existing spark is not allowed.
        ".write": "!data.exists()",
        // Every spark should have an author and a body.
        ".validate": "newData.hasChildren(['author', 'content'])",
        // A user can attribute a spark only to themselves.
        "author": {
          ".validate": "newData.val() ==auth.uid"
        },
        "content": {
          ".validate": "newData.isString()"
        }
      }
    },
    "recent-users": {
      // Users can add themselves to the list of users with recent activity.
      "$userid": {
        ".write": "$userid ==auth.uid"
      }
    },
    "recent-sparks": {
      // Authors of sparks can add their sparks to this list.
      "$sparkid": {
        ".write": "root.child('sparks/' + $sparkid + '/author').val() ==auth.uid"
      }
    },
    "search": {
      "firstName": {
        "$searchKey": {
          ".write": "auth != null && (root.child('people/' +auth.uid + '/firstName').val() + '|' + root.child('people/' +auth.uid + '/lastName').val() + '|' +auth.uid) == $searchKey && newData.val() ==auth.uid"
        }
      },
      "lastName": {
        "$searchKey": {
          ".write": "auth != null && (root.child('people/' +auth.uid + '/lastName').val() + '|' + root.child('people/' +auth.uid + '/firstName').val() + '|' +auth.uid) == $searchKey && newData.val() ==auth.uid"
        }
      }
    }
  }
}