In firebase, what security rules should I write to allow only push to object

Question

I have messages object in root, which simply array of strings. I want to allow users push new objects. If they can push to messages root, they should have write permission to it, that's mean they can easily replace whole messages object with other valid data. What kind of security rules should I write to avoid this?

Answer 1

You can write a rule to allow adding data if data does not exist, but prevent data from being modified or deleted using the following rule.

".write": "!data.exists() && newData.exists()"

The 'data' variable is the current data in Firebase. 'newData' is the resulting data if the write is allowed.

For more detailed explanation, please check out Security & Rules API.

Answer 2

The full rules definition should read

{
   "rules": {
        ".read": false,
        "feedback": {
            "$key": {
               ".write": "!data.exists()"
            }
        }
    }
}

This lets you push at the /feedback location. You can freely choose the variable name $key