Firebase JSON Security and Arrays

Question

We'd like to use Firepad in our (mostly non-Firebase hosted) project, but we're having some troubles figuring out the best way to approach the problem.

Basically, we have many users, and each user can be a member of many groups. These "groups" each have their own Firepad which users can edit. We already have a deeply developed database structure using MySQL and don't really want to migrate our user data into Firebase right now, so we figured we'd get more creative.

We don't want users being able to edit the Firepads of groups they do not belong to. As such, as part of our authentication token, we figured we'd try sending along the user ID and the list of groups they belong to. Then, using the Firebase JSON security system, we could verify that the Firepad currently being edited is in the list of groups the user belongs to.

The problem is, the JSON system doesn't seem to accept many commands. There's no indexOf, and I can't call hasChild on the auth variable.

How can we ensure that users can only edit the Firepads of groups they belong to, without migrating all of our data to Firebase? (Or maintaining two copies of the database - one on MySQL and one on Firebase)

Michael Lehenbauer · Accepted Answer · 2013-04-11T17:46:24.737

10

The trick here is to use an object instead of an array to store the groups (a tad awkward, I know. We'll try to make this easier / more intuitive). So in your auth token, you'd store something like:

{ userid: 'blah', groups: { 'group1': true, 'group2': true, ... } }

And then in your security rules you could have something like:

{
    ...
    "$group": {
        ".read": "auth.groups[$group] == true",
        ".write": "auth.groups[$group] == true"
    }
}

And then a user will have read/write access to /groups/<group> only if <group> is in their auth token.

edited Apr 11 '13 at 17:46

answered Apr 11 '13 at 15:57

Michael Lehenbauer

16,229
1
57
59

Bingo. I probably should've thought of that, but the clarification that accessing members with square brackets is available is helpful. Thank you! – Jake Wood Apr 11 '13 at 16:30
Mike, have you guys made any improvements in this area? Are there any docs that describe what functions are available for the auth variable? – Samuel Jul 15 '15 at 19:31
@Samuel No particular changes here. In general, auth doesn't have any functions, it's just the data in your auth token. The only "function" available is if you have a string in your auth data, there are a few methods for substring / regex matching, etc.: https://www.firebase.com/docs/security/api/string/ – Michael Lehenbauer Jul 16 '15 at 00:11
How to change the "auth" object when a user gets added to a new group? For example, user J has three groups, A, B and C. User K created a new group, D and added J to it. How does the application logic allow access to J to the group D? Having J to reauth doesn't seem like the solution when he gets added to new groups in a chat application. – Pritam Barhate Jan 31 '17 at 04:24

Firebase JSON Security and Arrays

1 Answers1

Linked