CODEWITHSUNDEEP
firebaseangularfirefirebase-security
cebor
cebor

Reputation: 6546

Security Rules for Admin Users

How can i set up my Security-Rules so that only users with users/$provider/$user/admin == true can add and remove new admins.

Here are my Firebase rules:

{
  "rules": {    
    "users": {
      "$provider": {
        "$user": {
          "profile": {
            ".read": "$user == auth.id && $provider == auth.provider",
            ".write": "$user == auth.id && $provider == auth.provider" 
          },
          "admin": {
            ".read": false,
            ".write": false
          }
        }
      }
    },
    "blogs": {
      ".read": true,
      ".write": "root.child('users').child(auth.provider).child(auth.id).child('admin').val() == true",
      "$blog": {
        ".validate": "newData.hasChildren(['article', 'time', 'title'])"
      }
    }
  }
}

My other question is, can i mix auth.id from different auth.provider, are they unique? I want drop the "$provider": {} in the user hierarchy its a little bit ugly.

Upvotes: 2

Views: 3814

Answers (2)

Rob DiMarco
Rob DiMarco

Reputation: 13266

While the id attribute is the id for the specified provider, the uid is unique across all providers and is intended as the proper index for your users, especially if you're using multiple providers at once.

Note: Firebase updated their APIs to no longer return a plain, provider-specific id attribute in the security rules auth variable for client library versions 1.1.0 or later (released Oct. 3th, 2014).

Upvotes: 0

Romeo Mihalcea
Romeo Mihalcea

Reputation: 10252

I hope I understand correctly what you need:

{
  "rules": {    
    "users": {
    "$provider": {
      "$user": {
        "profile": {
          ".read": "$user == auth.id && $provider == auth.provider",
          ".write": "$user == auth.id && $provider == auth.provider" 
        },
        "admin": {
          ".read": "auth.admin == true",
          ".write": "auth.admin == true"
        }
      }
    }
    },
    "blogs": {
    ".read": true,
    ".write": "root.child('users').child(auth.provider).child(auth.id).child('admin').val() == true",
    "$blog": {
      ".validate": "newData.hasChildren(['article', 'time', 'title'])"
    }
    }
  }
}

On the second question I dont think you need to save the provider at all since if a user loggs in with a different provider it should be taken as a new user unless firebase really keeps track of the only thing that's unique and persistent among logins which is the email and I highly doubt they do. My 99% sure bet is that the auth.id changes when the auth providers are switched but that's not hard at all to test is it?

Upvotes: 3

Related Questions