We cannot allow un-auth user to change the database data as they want, for Firebase, it is easy just need to overwirte the rules:
{ "rules": { ".read": "true", ".write": "auth != null", "courses": { ".indexOn": ["url"] }, "lessons": { ".indexOn": ["url"] } } }
Here we set "write" needs auth, read dones't need auth.