Why can't I change the priority of my link to Firebase (Permission denied)

In my Firebase , I have an object that looks like this:

---- name
---- age


When I try to create it for the first time, I use this command:



This works great.

Sometimes I want to create this entry with priority and it can be done like this:

firebaseRef.child("person").setValue(..., myPriority)


This works great.

However, the priority must be updated later. I tried the following:



Unfortunately this fails with the "Permission denied" error message. Why is this?

The safety rules for this link are as follows:

"person": {
    ".read": true,
    ".write": true,
    "name": { ".validate": "newData.isString()" }
    "age": { ".validate": "newData.isNumber()" }
    "$other": { ".validate": false }


As you can see, node is read and written.


source to share

1 answer


The reason for the "permission denied" error is obviously in the security rules.

The problem is that the priority is stored in a "hidden" property .priority

, which is rarely mentioned in the documentation.

This property does not appear in Firebase Forge (dashboard), but it can be seen when exporting raw JSON.

Now the directive "$other": { ".validate": false }

does not allow checking any property other than name

and age

. Therefore, the "Permit Denied" error occurs.

However, I don't know why this object can be written in the first place when used setValue(..., myPriority)

. This should also throw an error.

Solution (half way):

It now seems obvious to add a new directive to the security rules that looks like this:

".priority": { ".validate": true }


But it doesn't work. Firebase Forge's answer:

Key names can't contain ".", "#", "$", "/", "[", or "]" (unbound names start with "$")


This means that we cannot properly solve this problem. We have to tweak our existing security rules with one flaw: the rule has "$other": { ".validate": false }

to be removed when we want to update the priorities, leaving us with a flawed check.



All Articles