pedanticantic
commented
4 years ago I had to update the DB access rules again (because it can create log records for non-logged-in users). It's not perfect, but it's good enough.
This is an extract of the new rules:
...
"auditLog": {
"$auditLog": {
".write": "!data.exists() && (auth !== null || newData.child('userType').val() == 'anonymous')"
}
},
".read": "true",
".write": "auth !== null && !newData.hasChild('auditLog')",
...Basically, by default you can only write records if you are an admin user and you are not trying to write to the audit log. Then, the audit log says, "You can't edit or delete log records at all (the latter may change in phase 3), but you can insert log records if either you are logged in as an admin user, or you are trying to create an "anonymous" log entry".
This is phase 1 of the audit log module (obviously).
It is concerned just with creating the audit log records.
It does nothing to report on them - that is phase 2.