Since your admin process will use a secret token to log in, security rules will not apply. Thus, you can simply secure client access using:
// not applied to privileged server logging in with token
".write": false,
If, alternately, you wanted clients to increment the amount, you could use the following trick, which only allows them to increment the counter, and only allows them to add a comment if the counter has been updated. (See a working demo http://jsfiddle.net/katowulf/5ESSp/)
{
"rules": {
".read": true,
".write": false,
"incid": {
"counter": {
// this counter is set using a transaction and can only be incremented by 1
".write": "newData.isNumber() && ((!data.exists() && newData.val() === 1) || newData.val() === data.val()+1)"
},
"records": {
"$id": {
// this rule allows adds but no deletes or updates
// the id must inherently be in the format rec# where # is the current value of incid/counter
// thus, to add a record, you first create a transaction to update the counter, and then use that counter here
// the value must be a string less than 1000 characters
".write": "$id >= 'rec'+root.child('incid/counter').val() && !data.exists() && newData.isString() && newData.val().length <= 1000"
}
}
}
}
}