-
Star
(142)
You must be signed in to star a gist -
Fork
(25)
You must be signed in to fork a gist
-
-
Save sararob/331760829a9dcb4be3e7 to your computer and use it in GitHub Desktop.
| /* | |
| This example shows how you can use your data structure as a basis for | |
| your Firebase security rules to implement role-based security. We store | |
| each user by their Twitter uid, and use the following simplistic approach | |
| for user roles: | |
| 0 - GUEST | |
| 10 - USER | |
| 20 - MODERATOR | |
| 99 - ADMINISTRATOR | |
| This file shows the data structure, and the security-rules file below | |
| shows the corresponding security rules. | |
| */ | |
| { | |
| "users": { | |
| "twitter:12345": { | |
| "full-name": "Sara Robinson", | |
| "username": "SRobTweets", | |
| "role-value": 10 | |
| }, | |
| "twitter:56789": { | |
| "full-name": "Michael 'Kato' Wulf", | |
| "username": "katowulf", | |
| "role-value": 20 | |
| } | |
| .... | |
| }, | |
| "rooms": { | |
| "public-room-1": { | |
| "users": { | |
| "twitter:56789": 20, | |
| "twitter:12345": 10 | |
| } | |
| }, | |
| "admin-only-room": { | |
| "users": { | |
| "twitter:56789": 20 | |
| } | |
| } | |
| ... | |
| }, | |
| "messages": { | |
| "public-room-1": { | |
| -JVwTPcWMIt0J6Gbtrqh: { | |
| "user": "twitter:12345", | |
| "text": "Hello everyone!" | |
| } | |
| ... | |
| }, | |
| "admin-only-room": { | |
| -JVwU5tLQRPbzXo4s_a1: { | |
| "user": "twitter:56789", | |
| "text": "This is a top secret message." | |
| } | |
| ... | |
| } | |
| } | |
| } |
| { | |
| "rules": { | |
| ".read": true, | |
| "users": { | |
| "$user": { | |
| //can add a message if authenticated | |
| ".write": "auth.uid === $user" | |
| } | |
| }, | |
| "rooms": { | |
| "$room": { | |
| "users": { | |
| // can write to the users list only if ADMINISTRATOR | |
| "$user": { | |
| "write":"newData.parent().child(auth.uid).val() === 99" | |
| } | |
| } | |
| } | |
| }, | |
| "messages": { | |
| "$room": { | |
| "$message": { | |
| //can add a message if they are a MEMBER | |
| ".write": "(!data.exists() && newData.exists() && root.child('rooms/' + $room + '/users/' + auth.uid).val() >= 10)" | |
| } | |
| } | |
| } | |
| } | |
| } |
Would be nice to address the problem of users being able to change their own role.
I ended up trying this. Not sure how well it will work
type User {
name: String,
email: String,
isMember: Boolean,
}
type Role {
isAdmin: Boolean
}
path /users/{uid} is User {
read() { isCurrentUser(uid) || isAdmin(uid) }
write() { isCurrentUser(uid) || isAdmin(uid) }
validate() { this.isMember === false || isAdmin(uid) }
}
path /roles/{uid} is Role {
read() { isAdmin(uid) }
write() { isAdmin(uid) }
}
isCurrentUser(uid) { auth != null && auth.uid == uid }
isAdmin(uid) { auth != null && root.roles.uid.isAdmin.val() }
This is getting me closer to an answer http://stackoverflow.com/questions/21815229/is-there-a-way-to-restrict-registrations-in-firebase/21834842#21834842
@Andersos if you don't mind, what is that code you used in your previous comment? Looks interesting
I just wrote up some thoughts on what I think is a promising solution to admin / moderator roles from the Firechat app (written by the Firebase devs) - http://curlybrackets.co/blog/2016/03/07/implementing-roles-in-firebase/
@lazabogdan if it still matter, that code was written in Bolt.
Accordingly to Firebase "Bolt is a high level modeling and security language that lets you easily translate your application’s data structure to the low-level JSON rules needed to secure your data in Firebase."
I`m using it in some projects and its preety good.
are you still using it ? It is not clear if it will be maintained after Firebase 3.0
I am working on an advanced role based security rules system for an app based on this.
chat_permissions
chat1
admins
user1= true
user2 = true
observers
user3 = true"chat_permissions": {
".read": "auth != null",
"$group": {
".write": "data.child('admins').hasChild(auth.uid) || !data.child('admins').exists() "
// allows to modify users permissions (as well as add or delete users) if user is admin or if there are no admins
}
}
After this you set all security rules based on user permissions
Why do you want to this ir you have the admin sdk for node?
@AWolf81 Any progress? I'm just now learning firebase and am looking for some means of defining/assigning roles securely. I'm not sure of the proper way to organize the database