How can I give write permission to a specified user in Firebase?

Question

I have a mobile application which reads the data from the firebase server without firebase login/authentication (posts and news) and I want to create an admin webpage where I can log in and add, or modify news, so I need a write permission there. My rules are currently:

{
  "rules": {
    ".read": true,
    ".write": "auth !== null && ?????
  }
}

Can I write something like "user.emailAddress == 'mail@example.com'"?

Answer 1

Create database:

   {
      "users":{
         "your UID":{
            "isAdmin": true
          }
       }
    }

Set rules:

Wrong:

    {
      "rules": {
        ".read": true,
        ".write": "auth.uid != null && root.child("users").child(auth.uid).isAdmin === true"
      }
    }

Right:

    {
      "rules": {
        ".read": true,
        ".write": "auth.uid != null && root.child('users').child(auth.uid).child('isAdmin').val() === true"
      }
    }

Answer 2

You might want to start by reading the documentation about securing user data. There is a lot to know here.

One possibility is using the known user's uid to restrict access. The auth.uid variable contains the uid.

".write": "auth.uid == 'the-known-uid'"

Also you can use auth.token to access some other things about the user, including email address (which may not be present):

".write": "auth.token.email == 'the@email.address'"

You can also use custom authentication tokens, which also is covered in the documentation.

Answer 3

You can create a users table on database like

{
  "users":{
     "your UID":{
        "isAdmin": true
      }
   }
}

Then edit rules :

{
  "rules": {
    ".read": true,
    ".write": "auth.uid != null && root.child("users").child(auth.uid).isAdmin === true"
  }
}