Security - Async Models - Firebase

Question

After seeming to bang my head on a wall for what seems to be a simple problem I thought it best to ask for some help.

I am creating an EmberFire application that allows users to authenticate using the simple login. Once authenticated the user can store particular items for later retrieval.

I have models defined as so:

USER:

export default DS.Model.extend({
  firstName: DS.attr('string'),
  lastName: DS.attr('string'),
  dateOfBirth: DS.attr('date'),
  registeredAt: DS.attr('date'),
  compentencies: DS.hasMany('competency', { async: true })
});

COMPETENCY:

export default DS.Model.extend({
  title: DS.attr('string'),
  endDate: DS.attr('date'),
  user: DS.belongsTo('user', { async: true })
});

These are stored in the firebase db in a denormalised for as I would like them to be.

My issue arises on retrieval of persisted data. I am not sure how I am supposed to lock the competencies down to a particular user?

The way the rules cascade in FireBase I am not sure if this is even possible in this form but it does not seem right that I would have to store each competency in an embedded form under each user node.

I know that I could just allow read access to all 'Competency' models with this.store.find('competency') and then filter them on the client but that does not fit the security I would expect.

Any help would be great thanks.

Ryan

Answer 1

To only allow read access to a competency if the competency belongs to the user who is currently logged in you can use $competencyId (you can replace "competencyId" with any valid string). Using $competencyId limits access to a specific node under competencies/ instead of allowing access to the entire tree.

"rules": {
  "competencies": {
    "$competencyId": {
      ".read": "data.child('user').val() === auth.uid"
    }
  }
}