This question came up in the break...

admins ref in the database

It contains the uid of the person who created the app. He will tighten this up.

Goes into exploring the rules in the Firebase web console.

  {
  "rules": {
    ".read": "true", // ☛  anyone can read even if not logged in
    "users": {
      "$user": { // ☛  who can write to users ↴
        ".write": "newData.exists() || data.child('uid').val() == auth.child",
        ".validate": "newData.hasChildren(['displayName', 'photoURL'])"
      }
    },
    "messages": {
      "$message": { // ☛  who can write to messages ↴
        ".write": "newData.exists() || data.child('uid').val() == auth.child || root.child('admins').child(auth.uid).val() == true",
        ".validate": "newData.hasChildren(['content', 'timeStamp', 'uid'])"
      }
    }
  }
}

From above:

root.child('admins').child(auth.uid).val() == true

1. go to the top of the database (admin), 2. get the current users uid 3. if it's set to true (therefore is an admin), can change the message

otherwise:

data.child('uid').val() == auth.child The owner of the message has the right to change the message

and finally, the first rule:

newData.exists() ☛ if it's new data anyone can delete it, write it

Question: won't root.child('admins').child(auth.uid).val() blow at the .val() part, since the user does not exist there (it would in normal JavaScript)

• no, because Firebase lets you traverse non existent branches and will just give you a null

the .validate rule from above

.validate is like a write rule, but only unique that exact match.

".validate": "newData.hasChildren(['content', 'timeStamp', 'uid'])" ☛ you can only write a new message if it has these fields (content, timeStamp, uid), otherwise it will rejected

Question: can you use functions inside the database rules?

No, you cannot (write your own functions), these are strings. In storage you can use functions, but not in the real time database. There's a workaround to generate your own strings at deploy