-
Star
(142)
You must be signed in to star a gist -
Fork
(25)
You must be signed in to fork a gist
-
-
Save sararob/331760829a9dcb4be3e7 to your computer and use it in GitHub Desktop.
/* | |
This example shows how you can use your data structure as a basis for | |
your Firebase security rules to implement role-based security. We store | |
each user by their Twitter uid, and use the following simplistic approach | |
for user roles: | |
0 - GUEST | |
10 - USER | |
20 - MODERATOR | |
99 - ADMINISTRATOR | |
This file shows the data structure, and the security-rules file below | |
shows the corresponding security rules. | |
*/ | |
{ | |
"users": { | |
"twitter:12345": { | |
"full-name": "Sara Robinson", | |
"username": "SRobTweets", | |
"role-value": 10 | |
}, | |
"twitter:56789": { | |
"full-name": "Michael 'Kato' Wulf", | |
"username": "katowulf", | |
"role-value": 20 | |
} | |
.... | |
}, | |
"rooms": { | |
"public-room-1": { | |
"users": { | |
"twitter:56789": 20, | |
"twitter:12345": 10 | |
} | |
}, | |
"admin-only-room": { | |
"users": { | |
"twitter:56789": 20 | |
} | |
} | |
... | |
}, | |
"messages": { | |
"public-room-1": { | |
-JVwTPcWMIt0J6Gbtrqh: { | |
"user": "twitter:12345", | |
"text": "Hello everyone!" | |
} | |
... | |
}, | |
"admin-only-room": { | |
-JVwU5tLQRPbzXo4s_a1: { | |
"user": "twitter:56789", | |
"text": "This is a top secret message." | |
} | |
... | |
} | |
} | |
} |
{ | |
"rules": { | |
".read": true, | |
"users": { | |
"$user": { | |
//can add a message if authenticated | |
".write": "auth.uid === $user" | |
} | |
}, | |
"rooms": { | |
"$room": { | |
"users": { | |
// can write to the users list only if ADMINISTRATOR | |
"$user": { | |
"write":"newData.parent().child(auth.uid).val() === 99" | |
} | |
} | |
} | |
}, | |
"messages": { | |
"$room": { | |
"$message": { | |
//can add a message if they are a MEMBER | |
".write": "(!data.exists() && newData.exists() && root.child('rooms/' + $room + '/users/' + auth.uid).val() >= 10)" | |
} | |
} | |
} | |
} | |
} |
Would be nice to address the problem of users being able to change their own role.
I ended up trying this. Not sure how well it will work
type User {
name: String,
email: String,
isMember: Boolean,
}
type Role {
isAdmin: Boolean
}
path /users/{uid} is User {
read() { isCurrentUser(uid) || isAdmin(uid) }
write() { isCurrentUser(uid) || isAdmin(uid) }
validate() { this.isMember === false || isAdmin(uid) }
}
path /roles/{uid} is Role {
read() { isAdmin(uid) }
write() { isAdmin(uid) }
}
isCurrentUser(uid) { auth != null && auth.uid == uid }
isAdmin(uid) { auth != null && root.roles.uid.isAdmin.val() }
This is getting me closer to an answer http://stackoverflow.com/questions/21815229/is-there-a-way-to-restrict-registrations-in-firebase/21834842#21834842
@Andersos if you don't mind, what is that code you used in your previous comment? Looks interesting
I just wrote up some thoughts on what I think is a promising solution to admin / moderator roles from the Firechat app (written by the Firebase devs) - http://curlybrackets.co/blog/2016/03/07/implementing-roles-in-firebase/
@lazabogdan if it still matter, that code was written in Bolt.
Accordingly to Firebase "Bolt is a high level modeling and security language that lets you easily translate your application’s data structure to the low-level JSON rules needed to secure your data in Firebase."
I`m using it in some projects and its preety good.
are you still using it ? It is not clear if it will be maintained after Firebase 3.0
I am working on an advanced role based security rules system for an app based on this.
chat_permissions
chat1
admins
user1= true
user2 = true
observers
user3 = true
"chat_permissions": {
".read": "auth != null",
"$group": {
".write": "data.child('admins').hasChild(auth.uid) || !data.child('admins').exists() "
// allows to modify users permissions (as well as add or delete users) if user is admin or if there are no admins
}
}
After this you set all security rules based on user permissions
Why do you want to this ir you have the admin sdk for node?
@AWolf81 Any progress? I'm just now learning firebase and am looking for some means of defining/assigning roles securely. I'm not sure of the proper way to organize the database