Cascade is the worst possible word to use for someone coming from a CSS background. From the very beginning of CSS history, cascading was tied to a notion of specificity - if you have a rule for h1 it overrides what was in the html rule. https://css-tricks.com/look-back-history-css/
This is simpler and more efficient to implement and run at scale. But imagine if styling worked like that - you could never have colored overlays, or anything we take for granted.
When over-eager marketing speak encourages insecurity, it’s a significant ethical breach.
This isn't CSS, its a well documented behavior of Firebase Realtime Database because its "just" nested JSON. if you request one node in the JSON and it passes a security rule it gives you the entire node. Having to traverse all children for additional rules would be less performant.
I do think that if this is such a common behavior the rules DSL could be revised so that fewer people fall down the "pit of success". At the very least do not allow people to define rules that have already been defined by parents. This should be part of Firebase, the fact that theres a startup providing this service is the biggest code smell I can think of telling you there's a problem here.
Agreed - this doesn't seem to make sense to me. And the docs seem to corroborate this:
> Note that .read and .write rules shallower in the database override deeper rules, so read access to /foo/bar/baz would still be granted in this example even if a rule at the path /foo/bar/baz evaluated to false.
I dont speak for the firebase team but this is my rationale: its "just" nested JSON. if you request one node in the JSON and it passes a security rule it gives you the entire node. Having to traverse all children for additional rules would be less performant.
Picture a tree in which the roots contain protected data and the leaves contain public data. The further you go in the direction of the roots, the more certification you need.
But whatever Firebase is doing, it’s the opposite of specificity - it’s closer to “search top down until we find something truthy then stop.” https://firebase.google.com/docs/database/security/
This is simpler and more efficient to implement and run at scale. But imagine if styling worked like that - you could never have colored overlays, or anything we take for granted.
When over-eager marketing speak encourages insecurity, it’s a significant ethical breach.