Reputation: 3407
Firebase realtime database rules - Allow multiple user access to list all messages
I would like to give multiple users access to fetch a collection of "messages" they have access to in Firebase Realtime database. The database fetch would read "/messages" and return a collection of all messages the user has access to. Database structure looks like this:
"messages" : {
"-L123456789": {
"access": {
"author": "user-one-id-987654"
"assigned-user-id-1234": "assigned-user-id-1234"
}
"data" : {
"theData": "Hello world!"
}
}
}
I have created the following rule:
{
"rules": {
"messages": {
"$message_id": {
"data": {
".read": "
//if author or assigned user
data.parent().child('access').child('author').val() === auth.uid ||
data.parent().child('access').child(auth.uid).exists()
",
".write": "false"
}
}
}
}
However, I am not able to get a collection of all messages where I am listed as author or assigned user.
What rule would allow a user listed as "author" (user-one-id-987654) or "assigned user" (assigned-user-id-1234) to get a collection of all messages they have access to by simply reading the "/messages/" database path?
I am guessing a rule in the root of "messages" might be the answer?
I have tried the below rule - it grants access to all authenticated users - but I wish to only return a collection where the user is listed as "author" or "assigned user".
{
"rules": {
"messages": {
".read": "auth.uid !== null"
}
}
}
Kind regards /K
Upvotes: 1
Views: 1283
Answers (1)
Reputation: 598886
Firebase server-side security rules can not be used to filter data. When you attach a listener to the database, the server checks if that listener is guaranteed to always meet the rules (no matter what the data). If it doesn't meet the rules, the listener is rejected right away.
So if you attach a listener to /messages, the server checks if you have read permission to /messages. And since you don't, it rejects the listener.
If you want to allow the user to read messages of which they're the owner you'll need two things:
- A query that only retrieves the messages that the user owns.
- Security rules that ensure only that query is allowed.
For more on this, see the Firebase documentation on securely querying data and the blog post introducing this feature.
Upvotes: 1
Related Questions
- Firebase Realtime Rules: Allowing multiple Users Access to Data
- Firebase Realtime Database rules to allow a single user Write access
- firebase realtime db security rule to allow specific users
- Firebase Realtime Database read rule for specific user
- Firebase rules to give read access to a dynamic list of users
- Firebase Database Access multiple records
- Firebase rules to allow some user access
- firebase database rule allow read/write to specific users with specific info
- Firebase database rules: users permission
- Firebase: allow to read collection by admins and specific records by users