As for authorization, it is possible to set rules:
- On the whole database
- Per collection
It is also important to know that the rules are enforced in these ways:
- Atomically: Applies to a specific element
- Cascading: Applies to a specific element and all its children
The permission level is either:
- Read: This will make it possible to read the contents of the resource
- Write: This will give you the ability to modify the resource
- Deny: This will stop any write or read actions from being possible on the targeted resource
This calls for an example. Imagine you have the following database structure:
foo {
bar: {
child: 'value'
}
}
Atomic authorization means that we need to be explicit; if we are not explicit, the default is to deny access. Let's try to enforce some rules on the preceding structure. We navigate to the rules section under the Database menu option. A rule is defined as a JSON object, like so:
rules: {
"foo": {
"bar": {
".read": true,
".write": false,
"child": {}
}
}
}
This means that we have set an explicit atomic rule for bar and that rule is inherited by its child elements, that is, it acts in a cascading way foo, on the other hand, has no rule to it. This would have the following consequence if trying to access the collections:
// deny
this.angularFireDatabase.object('/foo');
// read allowed, write not allowed
this.angularFireDatabase.object('/foo/bar');
// read allowed, write not allowed
this.angularFireDatabase.object('/foo/bar/child');
This explains the types of rules that are in place. I urge you to look into this topic deeper by studying the following links:
- Securing your data in general: https://firebase.google.com/docs/database/security/securing-data
- Securing data per user, that is, setting different permission levels for different types of users: https://firebase.google.com/docs/database/security/user-security