Protected content in Firebase possible?

Question

I'm trying to figure out a way to model the following data in Firebase, and I'm not sure if it's possible.

Say I have a list of posts. Some of those I want to flag as private, where the author specifies members of their friends list can view it. Is this possible, and if so is it possible without defining posts and private posts separately.

score 5 · Accepted Answer · edited Oct 06 '14 at 23:19

You can specify which posts may be read and written using security rules. For example, if I have this data set:

{
   "users": {
      "me": {
          "friends" { "jack", "mary" }
      },
   },
   "posts": {
       "post1": {
            "owner": "me",
            ...
       }
   }
}

I could use a security rule like the following:

{
   "posts": {
       "$post_id": {
           // any friend can read my post
           ".read":  "auth.uid === data.child('owner').val() || root.child('users/'+data.child.owner.val()+'/friends/'+auth.uid).exists()",
           // only I can write it
           ".write": "auth.uid === data.child('owner').val()"
       }
   }
}

Keep in mind, however, that security rules can't be used as a filter. You can't iterate a list of posts and only expect to get back the ones friends are allowed to see--if it encounters items in the list that aren't readable, then the operation will fail to return results.

So could a friend query for posts that he's allowed to see? And would real-time work to get those posts? — Georg, Jun 01 '16 at 22:41
this rules works for the new data? when we insert the first time ? — BruceOverflow, Jan 02 '17 at 22:10

Protected content in Firebase possible?

1 Answers1

Linked