Firebase read/write permission for certain users

Question

I have a family, A, b, c, d, and A is the leader. We have an intruder, E. We only want b, c, d to read/write A's data.

ALL OF THESE letters (b, c d,...) will be the UID's

Here is what I have so far:

Everyone is authenticated with email. People send requests to A to be allowed in his group. If he accepts, they can read/write to his.

Design for database Firebase

{
  "Leaders" : {
    "A" : {
      "ALLOWED" : {
        "b" : 0,
        "c" : 0,
        "d" : 0
      },
      "DATA" : {
        "blah blah1" : "content writable by bcd",
        "blah blah2" : "content writable by bcd"
      },
      "REQUESTS" : {
        "E" : 0
      }
    }
  }
}

I can use CRUD to move the b, c, d but how do I make the rules so that it follows that only people in the ALLOWED can read/write data for each leader?

    {
  "rules": {
    ".read": "auth != null",
    ".write": "auth != null"
    "Leaders":{
    ".write": "$uid == ????"
    }
  }
}

Thanks for helping!

Answer 1

Should be a matter of checking if the node exists under the current leader:

{
  "rules": {
    "Leaders":{
      "$leaderuid": {
         ".write": "$leaderuid == auth.uid",
         "DATA": {
           ".write": "data.parent().child('ALLOWED').child(auth.uid).exists()"
         }
       }
    }
  }
}

Things I changed:

• Remove the top-level read/write rules. Otherwise any authenticated user can read/write all data and you can never take that permission away at a lower level anymore.
• The leader can write their entire node. I use auth.uid here as described in the documentation on securing user data.
• A user can only write under DATA if their uid exists in the ALLOWED node.