firebase-rules.json

{
  "rules": {
    "users": {
      "$userid": {
        "profile": {
          ".read": true,
          ".write": "$userid == auth.uid && auth.uid != null"
        },
        "notebooks": {
          ".read": "$userid == auth.uid && auth.uid != null",
          "$secretid": {
            // read only by editors when sharing/isPrivate == true
            ".read": "(data.child('meta/sharing/isPrivate').exists() == false) || (data.child('meta/sharing/isPrivate').val() == false) || (data.child('meta/sharing/isPrivate').val() == true && $userid == auth.uid) || ($userid == 'anonymous') || (data.child('meta/sharing/publicRead').val() == true)",
            // write by editors || everyone if anonymous
            ".write": "(data.child('meta/sharing/isPrivate').exists() == false) || (data.child('meta/sharing/isPrivate').val() == false) || ($userid == auth.uid && auth.uid != null) || ($userid == 'anonymous')",
            "meta": {
              "sharing": {
                // only the owner can set the document public/private
                ".write": "$userid == auth.uid && auth.uid != null",
                ".validate": "newData.hasChildren(['isPrivate', 'publicRead'])"
              },
              // NOTE: this should not exist. it is part of the path
              "uid": {
                ".validate": "!data.exists() && auth.uid != null && auth.uid == newData.val()"
              },
              "title": {
                ".validate": "newData.isString() && newData.val().length > 0"
              }
            },
            "history": {
              "$revision": {
                /* Prevent overwriting existing revisions. */
                ".validate": "data.val() === null"
              }
            },
            "checkpoint": {
              /* Ensure author of checkpoint is the same as the author of the revision they're checkpointing. */
              ".write": "root.child('users/' + $userid + '/notebooks/' + $secretid).child('history').child( newData.child('id').val() ).child('a').val() === newData.child('a').val()",
              ".validate": "newData.hasChildren(['a', 'o', 'id'])"
            },
            "users": {
              "$user": {
                ".write": "(auth != null && ($user == auth.uid)) || auth == null"
              }
            }
          }
        }
      }
    }
  }
}