How to use Firebase rules to only give permission to certain leaf nodes

Question

My basic question is how do you setup Firebase rules to only allow access certain leaf nodes from their parent?

Lets say I have data that looks like this:

Answer 1

I believe the canonical way to do that is to place a rule directly on the element to be read, not on the collection.

{
  "rules": {
    "posts": {
      "$post": {
        ".read": "auth.admin || data.hasChild('restricted').val() !== true"
      }
    }
  }
}

Answer 2

You can use the data.hasChild expression to achieve this:

{
  "rules": {
    "posts": {
      ".read": "auth.admin || data.hasChild('restricted').val() !== true"
    }
  }
}

However, this is not the recommended approach and won't work in practice. Security rules are not a good fit for filtering data based on access - you'll see permission denied errors in the console because angularFire will try to read all the posts from /blog and it will fail.

Instead, each user should know which posts they have access to and only fetch those directly. You can use push() (or $add in angularFire) to generate random post IDs and set the security rules such that you can access the data if you know the post ID, for example.