Firebase Realtime database Rules Groups with shared data

Question

I need to create a system where there are many groups.

• The group can have multiple users.
• The users can be part of multiple groups.
• The users can have different permissions: read other members data, write other members data, change other members permissions
• All member can read data only from the members of the group, only if they have the read other data permission (Groups/$group_id/Members/uid/canReadOthersData = true).
• Every user it's already storing own data inside UserData path

I have written the following rules, but my problem is that i can't give Group member permissions to read other users data with the or ending part:

root.child('Group').child($group_id).child('Members').hasChild(auth.uid)

simply because it can't work with $group_id .

I did not found any function that give me the possibility to check if there is a uid inside Groups from the UserData group. My constraint is that i already have UserData part and i can't change it, because already populated, but i need to define a Group parts around it. Should i structure this in an other way? Like having an other path that it's defining for every user, the groups that it may be in?

{
  "rules": {

    "Groups": {
      "$group_id": {

        ".read": "data.child('Members').child(auth.uid).exists()",
        ".write": "data.child(auth.uid).child('canChangeRegistry').val() == true",
        "Members": {
          ".read": "data.child(auth.uid).exists()",
          ".write": "data.child(auth.uid).child('canChangeRegistry').val() == true",
          "$uid": {
            ".read": "data.child(auth.uid).exists()",
            ".write": "auth.uid === $uid || data.child('canChangeRegistry').val() == true"
          }
        }
      }
    },

    "UserData": {
      "$uid": {
        ".read": "auth.uid === $uid || root.child('Groups').child($group_id).child('Members').hasChild(auth.uid)",
        ".write": "auth.uid === $uid "
      }
    },

  }
}

Answer 1

There is no way to have the rules search through all groups for a membership match, as that wouldn't scale.

The only option I see is to store an additional list for each user with all other users that they share a group with, and then update that whenever you add users to groups and remove them.

With such a list in place, the lookup in security rules only depends on auth.uid and $uid, so can be something like:

root.child('UserBuddies').child(auth.uid).hasChild($uid)