Firestore User Collection isAdmin implementation Angular

Question

I'm trying to create an admin interface for the web application I'm developing. I'm using Angular with Angularfire2. I'm using Firebase Firestore as the database.

I wanted to see how we can implement an isAdmin flag in the users collection so that specified users can access admin features.

Can anyone shed some light on how I can approach to develop this. I know there are security rules you can set on the users document. If authenticated users are allowed to read and write to their own doc, what's stopping them from changing the isAdmin flag?

Or is this really as simple as adding a boolean key and toggling that in the admin interface?

Thanks, Walter

Answer 1

You can use custom auth claims from a custom server using the Firebase Admin SDK. Then you can incorporate these claims into your Firestore security rules rules. You can find out more about controlling access with custom claims here. In your Firestore rules, for example, you could limit read access to this document using the admin custom claim like this:

service cloud.firestore {
  match /databases/{database}/documents/adminContent {
    allow read: if request.auth.token.admin == true;
  }
}

Which could be set from a custom server or Cloud Functions for Firebase like this:

// Set admin privilege on the user corresponding to uid.
admin.auth().setCustomUserClaims(uid, {admin: true}).then(() => {
  // The new custom claims will propagate to the user's ID token the
  // next time a new one is issued.
});