I asked this question about my implementation of Firebase. Essentially, I tried to structure my Firebase database so that I had a collection of objects, and some users accessed a subset of these objects.
In my example, I have tasks. Several users will use this database, and for each Firebase offer, all tasks for all users are flattened out as children of the same parent node. Each user can access their tasks specified creatorIdin the object task. Perhaps in the future, permissions may be expanded, so tasks can be transferred to other users. But for now, ownership and the creator can read and write their own tasks.
This is trivial to implement using queries . I am not a security expert, but it seems to me that somehow observing these rules separately from requests within the client implementation is an important security consideration. Even if my client restricts access in this way, and all access requires authentication with our custom token provider, it seems that someone (another authenticated user) can figure out how we extract our data and gain access to the tasks of other users.
I know the Rules are not filters (see this one ), but it seems reasonable that it would be necessary to provide access to data in approximately this way.
My questions:
- Is this simply not a significant security issue?
- If so, is there a way for Firebase to do what I am describing? In Firebase's security example , it would be like users would not be able to access all rooms or messages. This seems like a perfectly reasonable software development solution (private rooms, private room communications, etc.).
- Did I just miss something here or didnโt understand the situation or didnโt write it very naively?
Edit:
I think the first time I read Structuring Data , I skipped the โUsing Indexes to Define Complex Relationships,โ which addresses this issue.