DilllyBar DilllyBar - 11 days ago 7
Android Question

Firebase read/write permission for certain users

I have a family, A, b, c, d, and A is the leader. We have an intruder, E. We only want b, c, d to read/write A's data.

ALL OF THESE letters (b, c d,...) will be the UID's

Here is what I have so far:

Everyone is authenticated with email. People send requests to A to be allowed in his group. If he accepts, they can read/write to his.

Design for database Firebase

{
"Leaders" : {
"A" : {
"ALLOWED" : {
"b" : 0,
"c" : 0,
"d" : 0
},
"DATA" : {
"blah blah1" : "content writable by bcd",
"blah blah2" : "content writable by bcd"
},
"REQUESTS" : {
"E" : 0
}
}
}
}


I can use CRUD to move the b, c, d but how do I make the rules so that it follows that only people in the ALLOWED can read/write data for each leader?

{
"rules": {
".read": "auth != null",
".write": "auth != null"
"Leaders":{
".write": "$uid == ????"
}
}
}


Thanks for helping!

Answer

Should be a matter of checking if the node exists under the current leader:

{
  "rules": {
    "Leaders":{
      "$leaderuid": {
         ".write": "$leaderuid == auth.uid"
         "DATA": {
           ".write": "data.parent().child('ALLOWED').child(auth.uid).exists()"
         }
       }
    }
  }
}

Things I changed:

  • Remove the top-level read/write rules. Otherwise any authenticated user can read/write all data and you can never take that permission away at a lower level anymore.
  • The leader can write their entire node. I use auth.uid here as described in the documentation on securing user data.
  • A user can only write under DATA if their uid exists in the ALLOWED node.