How to create a public / private user profile with Firebase security rules?

Question

How to create a public / private user profile with Firebase security rules?

{ "rules": { "users": { "$uid":{ //Private whatever under "uid" but Public is exposed ".read": "auth != null && auth.uid == $uid", ".write": "auth != null && auth.uid == $uid", "public": { ".read": "auth != null" } } } } }

I created these rules to have a public / private user profile
"users / {uid} / public" should be accessible to any users who have authenticated but cannot access the data in the users / uid section "

Here are some fake data stored in my firebase database.

 { "users" : { "YFIIAgwa2kaannrXjwvSZmoywma2" : { "Name:" : "Example 1", //This public child should be accessible by //"Example 2" but cannot know the name of // this user "public" : { "email" : " example1@gmail.com " } }, "YgSfSzPzxLbyDL17r6P9id2cdvH2" : { "Name:" : "Example 2", //This public child should be accessible by //"Example 1" but cannot know the name of // this user "public" : { "email" : " example2@gmail.com " } } } }

I want to know if this is a reliable way to prevent users from accessing user-important information! Anyway, can I improve this using validate? I am open to any suggestions you have. I want to create the best and simplest security rules for my application.

+5

json firebase firebase-security

user2884707bond Aug 12 '16 at 15:43

source share

2 answers

Hmm, wouldn't it be easier to (re) structure db so that you have a public and private field for each user? Sort of:

 { "users" : { "YFIIAgwa2kaannrXjwvSZmoywma2" : { "private": { "Name:" : "Example 1" }, "public" : { "email" : " example1@gmail.com " } }, "YgSfSzPzxLbyDL17r6P9id2cdvH2" : { "private": { "Name:" : "Example 2" }, "public" : { "email" : " example2@gmail.com " } } } }

/ UPD: So it should be easy (er) to have different permissions because they do not inherit them from the parent?

0

Rejh Aug 12 '16 at 15:52

source share

Frank van puffelen · Accepted Answer · 2016-08-12T17:45:24+0000

You can definitely provide access to private and public data with your current data structure.

But one use case that you are likely to need at some point is to show a list of publicly available information for all users. With your current data structure, this is not possible because the Firebase Security Model cannot be used to filter data . To get an excellent answer, see Restricting access to child / fields using security rules .

Most developers split public and private data into completely separate subtrees:

 { "users" : { "YFIIAgwa2kaannrXjwvSZmoywma2" : { "Name:" : "Example 1", }, "YgSfSzPzxLbyDL17r6P9id2cdvH2" : { "Name:" : "Example 2", } }, "public_profiles": { "YFIIAgwa2kaannrXjwvSZmoywma2" : { "email" : " example1@gmail.com " }, "YgSfSzPzxLbyDL17r6P9id2cdvH2" : { "email" : " example2@gmail.com " } } }

Then you can protect access with

 { "rules": { "users": { "$uid":{ ".read": "auth != null && auth.uid == $uid", ".write": "auth != null && auth.uid == $uid", } }, "public_profiles": { ".read": "auth != null", "$uid":{ ".write": "auth != null && auth.uid == $uid", } } } }

Now any authenticated user can listen to /public_profiles , which means that you can easily show a list of these profiles.

How to create a public / private user profile with Firebase security rules?

More articles: