Firebase database rules for group-shared data

Question

My webapp, like 99% of apps, has in db a collection of users. I can access user at /user/ so I setup rule to allow every user to access only its data.

BUT I need every user join a group

/user/34029380432
  - name: realtebo
  - group_id: 123
  - isAdmin: true


/group/123
   - a lot of shared data, all members can erad, only isAdmin can write

How can I setup a rule that allow only members of each group to read it and only admin members to write group data ?!

Of course I could swap side, movin member list, as array, under each group and setting, inside each group, one or more admin id.

But I am not able to compose javascript rule.

Answer 1

I think what you could do is having a messages and users node within your group objects. You can access to parent object for that data node on your security rules and see if that user is a member of users object node by the use of exists()

/group/123
   - messages // a lot of shared data, all members can read, only isAdmin can write
   - users // list of user uids that are added to this group
   - admins // list of admin uids

"group": {
  "$groupId": {
    "messages": {
      ".read": "data.parent().child('users').child(auth.uid).exists()",
      ".write": "data.parent().child('admins').child(auth.uid).exists()"
    }
  }
}