firebase delete data belongs to a user

Question

I have a movie app. People can comment on a movie.

I checked:

Firebase Security & Rules, How can I let users delete their own data?

https://www.firebase.com/docs/security/guide/securing-data.html#section-data-variables

https://www.firebase.com/docs/security/guide/user-security.html

But i couldent find my answer.

comments {
  550: {
     UKs5lg...: {
           comment: "this is comment",
           userId: "Jkulsç122doasdjk"
    },
     WfyG5Hsl...: {
           comment: "this is comment2",
           userId: "Jkulsç122doasdjk"
    }
},
 1694: {
     Ki5Uydmk...: {
           comment: "movie 2 comment 1",
           userId: "Jkulsç122doasdjk"
    },
     Kovx9ox...: {
           comment: "movie 2 comment2",
           userId: "Jkulsç122doasdjk"
    }
}

}

In the database, the numbers like 550, 1694 etc... are the id numbers of the movies. And every movie has comments which have unique id as you see. Every comment has comment and userId(the user's uid who sent this comment ) properties. I delete the comment but i want that, user can delete just own comment. So i want to set rule like:

{
  "rules": {
    "comments": {
      "$movieId": {
                ".read": true,
                ".write": ??????,
      }
  }
}
}

What security rule should i write instead of question mark? I want to write like;

".write" : "!data.exists() || (!newData.exists() && data.child(blabla+ 'userId').val() === auth.uid)"

but i can not write because i dont know how should i get the unique id as a child.

Answer 1

You need to push the rule down to the level where you want to enforce an operation. Since you say that each user should be able to delete only their own comment, the rule to enforce this should be on the comments:

{
  "rules": {
    "comments": {
      ".read": true,
      "$movieId": {
        "$commentId": {
          ".write": "!data.exists() || (!newData.exists() && data.child('userId').val() === auth.uid)",
        }
      }
    }
  }
}