javascript - Multiple admins in Firebase - is it possible? -
i'm trying create client-side application using firebase database service , i'm experiencing difficulties defining security rules allow multiple 'admin' users access data.
my data schema looks this:
{ admins: { simplelogin:1 : true, facebook:1234 : true }, mydata: { simplelogin:1 : { ..... }, google:1234 : { ..... }, facebook:1234 : { ..... } } } i'm trying allow logged in user write place inside 'data' object (i'm writing ref.child('mydata').child(auth.uid).set(...) , to prevent user access other users data. in addition, user uid defined in 'admins' data should able read/ write 'mydata' object.
my security json defined this:
{ "rules": { "admins": { ".write": false, ".read": true }, "mydata": { "$user_id": { ".read": "$user_id === auth.uid || root.child('admins').haschild(auth.uid)", ".write": "$user_id === auth.uid || root.child('admins').haschild(auth.uid)" } } } - i'm adding users
'admins'manually using local node service i'm running each time make user admin.
of course not working, since 'mydata' has no explicit definition of read/write permissions - when i'm trying read ref.child('mydata').once('value', function() {..}) user uid in 'admins' - i'm not able so.
i'm trying run following query , gets user uid in 'admins , gets permission denied
ref.child('mydata').once('value', function(snapshot) {console.log(snapshot.val())}, function() {console.log(arguments)})) is possible i'm trying do?
there's nothing stopping adding rules directly mydata. gives admins direct access mydata (and nodes within it). if user isn't admin, can access own node.
"mydata": { ".read": "root.child('admins').haschild(auth.uid)", ".write": "root.child('admins').haschild(auth.uid)", "$user_id": { ".read": "$user_id === auth.uid", ".write": "$user_id === auth.uid" } } regarding firebase's cascading security rules: key part understand
the child rules can grant additional privileges parent nodes have declared.
basically, if you're admin, you're granted read , write @ mydata level (and it's children) , nothing can revoke that. if you're not admin, still gain access @ lower level, in above example.
Comments
Post a Comment