WOW I can't believe I finally made it with Firebase security rules!

Ok so,

I know rules-fu.

I’ve been studying and fighting with firebase for a while now, it’s NOT been easy for me, but I think I can say that I nailed it.

So if you need help with firebase security, I’llgladly helpfellow thunkers to saveyou tons of time.


I’ll be interested in to know what you did can you give us an example or tell us what you did ?
i’ll glad to read it ! :clap::clap::pray::muscle:

1 Like

“rules”: {
“FireBaseIDs”: {
“.read”: “root.child(‘Clienti’).child(auth.uid).child(‘ruolo’).val() == ‘admin’”,
“.write”: “auth != null”,
“ListaClienti”: {
“.read”: true,
“.write”: “auth != null”,
“Clienti”: {
“.write”: “auth != null && newData.child(auth.uid).isString()”,
“$userId”: {
“.read”: “$userId === auth.uid || root.child(‘Clienti’).child(auth.uid).child(‘ruolo’).val() == ‘admin’”,
“.write”: “$userId === auth.uid || root.child(‘Clienti’).child(auth.uid).child(‘ruolo’).val() == ‘admin’”,



@Daniel_Coglitore if you understand this, youknow firebase rules-fu too! XD
What project are you working on?


have no idea what you did it seems complicated haha!

I’m working on an app for Sports in this case for Tennis! where users can contact each other so they can schedule when to play togheter or to know what tournaments are near then …

the rules i’m thinking on use in firebase is that users who haven’t verified their emails can read but can’t write ! but that would be one of the las thing to do :sweat_smile:

That’s easy to do, you will have to structure the data tree accordingly.

Are you italian like me? We can discuss it.

1 Like

Here is a (hopefully) simple explanation of how I used firebase rules to only allow signed in users to read and write to their data:

  "rules": {
      "PASSWORDS": {
          "$uid": {
              ".read": "$uid === auth.uid",
              ".write": "$uid === auth.uid"
      "TOTAL": {
          ".read": "true",
          ".write": "auth != null"

Hey, I’m subscribed to your channel! didn’t know that you explained security rules! thanks now I know what @maxb did !


Thanks but those rules don’t let the admin read or write users data, mines do let him.

I’m also concerned that a Hacker could modify the data in folders that different users have access to, so I am now stydying how to avoid data delete and update, so @darren a good video would be to make many examples on how to use newdata().exists, .validate and the like

Thanks for sharing! I wanted share my approach as all apps and use cases are a little different. Send me a personal message if you’d be interested in collabing with me or working on a video tutorial on Firebase rules!

Hi Thanks for sharing! i copy and pasted the rules to fire base and it gives the error in the image.

Have you enabled the authentication function trough email?

It might be that.

If you don’t know how to do it there is an explanaation in the thunkable documentation, sign in component

Ok, hit me up and tell me what kind of video you wanna make and stuff :+1:

1 Like

wow that’s cool

Hi @maxb and @darren,

thank you for the explanation. I got an email from google that my security settings in firebase are insecure. They are right and I want to fix it. I don’t get how the rules work and how ThunkableX and firebase work together:

I made a simple app for users who can share messages. I put the Firebase settings in the app config, and after that I can use cloud variables (and events like “when … changes”) for the messages. When I leave the firebase-setting to “read=true / write=true” then I can run my app without login, but those settings are unsafe.

When I understand you correctly the users should login first, and after that your rules can be applied. But where do your values like “Clienti”, “ruolo” or “admin” come from? Is this the login name?

Thanks for sharing this code. I have been looking for a way out of this security rule thing. It works with thunkable sign_In but unfortunately, the real time Database Chat that was working before is no longer working. Is there any other thing I should do in the frontend?

Omg i just use read = “auth != null”, can’t believe there is so many things! However I don’t understand all of them :rofl:

it’s the structure of the database, Clienti, and ruolo are written by me; to read the data in FireBaseIDs firebase will check in Clienti your authentification (auth.uid) and the value in “ruolo” needs to be “admin” to read the values,
while everyone that is authorized (auth =! null) can write in that “folder” (FireBaseIDs).

It’s very complicated, i will have to read it again as some time has passed since the last time.
You will have to study on the documentation given by google which is not the clearest in my opinion, I also read a lot of external sources

@maxb I really need some help with my security rules. I need such data in which I (The Owner) can read and write data and people using the Thunkable App can also save data. Can you help me out with this.

A long time has passed and I’m now busy in other projects, I can’t even recall where I learnt firebase rules but of course google is your help, just read a lot here and there and you might eventually get what you are looking for.

Sorry for not helping you but I really have little time on me

@maxb No problem