Geek Answers Handbook

Firebase JSON Security and Arrays

We would like to use Firepad in our (mainly, not in Firebase hosting) project, but we have some problems that determine the best way to approach the problem.

Basically, we have many users, and each user can be a member of many groups. These "groups" have their own Firepad, which users can edit. We already have a deep database structure using MySQL, and we don’t want to transfer our user data to Firebase now, so we decided that we would get a more creative approach.

We do not want users to be able to edit Firepads of groups to which they do not belong. Thus, as part of our authentication token, we decided that we would try to send by user ID and list of groups to which they belong. Then, using the Firebase JSON security system, we can verify that the edited Firepad is in the list of groups to which the user belongs.

The problem is that the JSON system does not seem to accept many commands. There is no indexOf there, and I cannot call hasChild in the auth variable.

How can we guarantee that users can only edit the Firepads of the groups to which they belong, without transferring all our data to Firebase? (Or saving two copies of the database - one on MySQL and one on Firebase)

+6
source share
1 answer

The trick here is to use an object instead of an array to store groups (a bit inconvenient, I know. We will try to make this simpler / more intuitive). Thus, in your authentication token, you should store something like:

 { userid: 'blah', groups: { 'group1': true, 'group2': true, ... } }

And then in your security rules you can have something like:

 { ... "$group": { ".read": "auth.groups[$group] == true", ".write": "auth.groups[$group] == true" } }

And then the user will have read / write access to / groups / <group> only if the <group> is in their authentication token.

+9
source

More articles:


All Articles