Doanh Do
Reputation: 1
Can a Firebase Security Rule check if someone has specific access rights?
Can I use the keyword "in" to check if a user's authentication matches a Firebase security rule?
For example, I create a user token with:
var token = tokenGenerator.createToken({ "uid": "1234", "access": [file1, file2, file3] });
I want to check if the user can access a particular file by setting the following security rule:
{
"rules": {
".read": true,
".write": "file3 in auth.access"
}
}
I am not sure if this works or is there a similar pattern for Firebase security. I want to issue each user unique security tokens that allows them to access certain files.
Upvotes: 0
Views: 1243
Answers (1)
Frank van Puffelen
Reputation: 598847
What you're describing is a form of role-based security, which you can definitely build on Firebase.
This requires that you store the roles in your Firebase (and not just dynamically add them to the token):
users
twitter:214
files
file1: true
file2: true
twitter:469
files
file2: true
Your rule would then be:
".write": "root.child('users/'+auth.uid+'/files/file1').exists()"
Upvotes: 6
Related Questions
- Firebase Cloud Storage: can I test if an authenticated user can read an object based on the rules?
- Firebase (Firestore) security rules, limit access to object for specific users
- Firebase Realtime Rules - Give access when some child contains value x?
- firebase realtime db security rule to allow specific users
- Firebase security write rule of child based on user existence
- Firebase rules to allow some user access
- firebase database rule allow read/write to specific users with specific info
- firebase rules: how to restrict access based on user role
- Set a security rule firebase based on a users oauth email
- Firebase: set security rules depending on user roles