Firebase Give Read Access to Specific User

Security Rules

Office-Based Access Control in Deject Firestore

Learn how to use Firebase Security Rules to implement role-based Firestore access

Credit: DNS stuff

I'll endeavor to explicate this with an example and then that you can easily understand when to use this method of authentication when building your application.

Role-Based User Authorization: Where users can take many roles and those roles provide different privileges that enable different operations on your (Firestore) database.

To better understand this, let's take a look at the following information model.

Here in our data model, we have a users drove with a number of user documents. The user document has a field roles which is an array of strings, where each string represents which office(s) the specific user has , allowing them to perform deportment co-ordinate to the privilege(s) this role has.

There is a slight upshot with how the data model is structured: users can edit their own roles, and then nosotros need to restructure the information model so only admin users tin can edit other users' roles.

Let's create a posts collection to carve up users' roles from their data:

Documents in the posts drove have four main fields, the content (also the epitome), published which determines whether or not the post is made public, a timestamp to give information almost when it was published, and userId to acquaintance the author of the post to that certificate.

Let's sympathize the logic on how this works with rules :

Expect at the match block which references the users collection on line 4. Information technology has custom functions set to it and you'll learn to implement information technology after afterwards we understand the logic.

So basically, on the users drove, nosotros desire to allow read if a user is logged in to our app. Updating or deleting a user requires admin privileges. To check if it'southward a asking from an admin business relationship we utilise hasAnyRole(list) which takes in a list of strings that nosotros'll match to the roles of that user and if a user has any of those roles it will allow the operation.

Now, regarding the posts drove, to read a post nosotros check if a user is logged in and the post has been published. Nonetheless, the admin tin can read whatever post, no matter it is published or non. So we added a or admin check, which checks if the requesting user is admin or not and allows admin to read unpublished posts.

Coming to creating a mail service we'll first cheque if it has all the valid fields and format and the user is the author of the post.

For updating a post, it's about a similar process merely nosotros only permit certain fields of a certificate to be updated once after information technology'south posted. Then we'll utilise another custom function to validate an update postal service asking, and also allow additional roles to make an update to a post.

Finally, deletion of the post can just be done past admin, so we check if the requesting user is an admin or not. You could optionally allow the author of the post to be able to delete a post but that depends on your use case.

Custom Functions

Let'south get to the unimplemented functions from the above logic :

This function is pretty straightforward, it only checks if the requesting user's auth attribute is not cipher.

The next function is

This function checks if the user is logged in then gets the roles array that we created before in the user's information model and checks if it contains whatsoever of the roles.

Checking the validity of the post is a bit complex than these as we need to check multiple attributes to corroborate the request.

The mail service is the variable that holds the information from the request.

The isOwner variable holds the boolean value of if a user is the owner of the post.

isNotFromPastOrFuture volition check if the timestamp on the incoming data is non from the past or future. This will help you to server-side validate if the user is trying to post something dorsum or forward in time.

The hasMandatoryFields variable volition check if all the mandatory keys exist in the incoming information. This will help you filter incomplete data sent through unauthorized clients.

And finally returns the boolean of all these variables.

At present, validation of updating post is a bit different from this :

Similar to the newPost function the postal service variable holds the incoming information.

Different the new post, we merely need to bank check if at that place are just keys that tin be modified after publishing the post.

The isValid variable checks if the content type is a string (depends on what information type you want it to be) and checks if the content length doesn't exceed 2000 characters.

This was a basic example of office-based authorisation. You tin customize these rules accordingly to match your purpose.

I hope this commodity helped you sympathize writing Firestore rules. If yous detect anything difficult to empathize feel free to get out a comment.

pelletierheyese1990.blogspot.com

Source: https://medium.com/firebase-developers/role-based-access-in-firebase-firestore-firestore-rules-6d36cded1b15

Share this post