I am getting very confused with the Firebase rules structure. Basically I have a root folder called 'Transactions', containing many childByAutoIDs that again contains data, exactly like this:
I am now trying my best to implement the best possible security rules. I therefore tried to do something like this:
".write": "auth !== null",
".write": "auth !== null && data.child('sender').val() === auth.uid || data.child('receiver').val() === auth.uid",
".read": "auth !== null && data.child('sender').val() === auth.uid || data.child('receiver').val() === auth.uid"
So basically, from what I have learned, and also what I am struggling with - is the fact that the user is able to write anything, even in the 'wildcard IDs ($transactionAutoID)'. I know this is because I have set the '.write' in Transactions to 'auth !== null' - but if I don't have this set, users may not read or write any transaction data. (I have the rules by default set to false).
How would I proceed if I only wanted users to be able to create new childs in Transactions, but not write in any transaction keys, if they are not either the sender or the receiver?