1

Let's say you have a firebase database with news articles to show in a webapp. On the top level we use Firebase auth to make sure that the user has access to the news-articles in the first place.

But then the different articles (items in the news-database) should be visible for different people. For example should users I put in a group called "management" have access to view some articles that the rest of the users cannot.

How can I achieve this using Firebase? (Web-version)

Sample database:

{
  "newsfeed" : {
"1001" : {
  "body" : "Lots of text here for the body of the article.",
  "header" : "This is an open article",
  "leadParagraph" : "With a lead paragraph and lots of content",
  "permissions" : {
    "All" : false,
    "Group11" : true,
    "Management" : true
  }
},
"1002" : {
  "Permissions" : {
    "All" : true
  },
  "body" : "Content here",
  "header" : "Testarticle for everyone",
  "leadParagraph" : "Everyone can read this one"
}

} }

So the question is not about how to limit a users access to the whole of "newsfeed", but rather how to edit access individually on the item level. In the example above all users can read item 1002, whilst only users that are tagged as members of the groups "Management" and/or "Group11" should be able to read item 1001.

Is this possible with rules dynamically? If I have to create a new rule for every item, is there a limit to the number of rules?

Publicus
  • 1,550
  • 7
  • 18
  • 33
  • Show the jSON structure (in text, not a picture of text) instead of describing it. It also would be welcome if you show what you've already tried, given that this is quite well documented: https://www.firebase.com/docs/security/guide/. Pay special attention to [Rules Are Not Filters](https://www.firebase.com/docs/security/guide/securing-data.html#section-filter), which trips everyone up. – Frank van Puffelen Dec 13 '15 at 16:06
  • 1
    After some more digging I found this post: http://stackoverflow.com/questions/14491496/granting-access-to-firebase-locations-to-a-group-of-users?rq=1 It gives two examples that are both what I'm trying to accomplish, so I think this will solve my problem. – Publicus Dec 13 '15 at 23:55
  • Perfect! If you have any more problems, post your JSON, the security rules you've already created and the code for the read of write operation that is causing problems. – Frank van Puffelen Dec 14 '15 at 01:28

1 Answers1

1

If you haven't already, I would read the Security Quickstart guide. It does a great job of explaining how Firebase security rules work.

In the case of your problem, I would suggest having a list of groups, where each group has the uids of the users in that group. For example:

{
  "groups" : {
    "Group11" : {
      "<uid1>": true,
      "<uid2>": true
    },
    "Management" : {
      "<uid1>": true,
      "<uid2>": true
    }
  }
}

If a user is a member of a group, add their uid to the group's list of members. Then in your rules, you can make the .read check whether or not the user who is trying to read the data has their uid in any of the allowed groups.

Sman25
  • 1,605
  • 13
  • 17
  • 1
    Although I like that "security quickstart" guide, it has been deprecated. Try [this one](https://firebase.google.com/docs/database/security/quickstart) instead. – coco Feb 16 '17 at 15:30