Firebase SecurityRules and FirebaseArray

Question

I'm quite new to Firebase and I'm implementing my first WebApp. The WebApp should be a management system for our events (we are an event company).

So my database structure is similar to these:

{
  "employees" : {
    "y4j2NYsc9waWzLOi4fH7HJFkZsj1" : {
      "email" : "emailadress",
      "events" : {
        "-KImpJr6asZfG28vCF5I" : {
          "isPlanned" : true
        },
        "-KImqNoVIJjeiU-f1FtM" : {
          "isPlanned" : true
        }
      },
      "givenname" : "Tobias",
      "role" : 10,
      "surname" : "K.",
      "uid" : "y4j2NYsc9waWzLOi4fH7HJFkZsj1"
    }
  },
  "events" : {
    "-KImpJr6asZfG28vCF5I" : {
      "date" : 1464386400000,
      "employees" : [ "58438e51-40a8-4c60-bd28-d9f5ee2f2871", "y4j2NYsc9waWzLOi4fH7HJFkZsj1" ],
      "name" : "Schützenfest"
    },
    "-KImpXeis1gDGGCWIx83" : {
      "date" : 1467237600000,
      "employees" : [ "0e9f20c0-547d-46e9-ad01-c7152812a3b2", "658feaf6-26a2-4ea5-b932-a661191f0f38" ],
      "name" : "Sommerfest"
    }
  },
  "roles" : {
    "Admin" : 99,
    "Chef" : 50,
    "Freelancer" : 15,
    "Mitarbeiter" : 20,
    "Praktikant" : 10
  }
}

My security rules look like:

{
  "rules":    {
    "events": {
      "$event": {
        ".read": "root.child('employees/' + auth.uid + '/role').val() >= 20 || root.child('employees/' + auth.uid + '/events/' + $event + '/isPlanned').val() === true",
        ".write": "root.child('employees/' + auth.uid + '/role').val() >= 20 || root.child('employees/' + auth.uid + '/events/' + $event + '/isPlanned').val() === true"
          }
      },
    "employees": {
      "$employee": {
          ".read": "auth !== null",
        "role": {".write": "root.child('employees/' + auth.uid + '/role').val() >= 50"},
        "$other": {".write" : "$employee === auth.uid"}
      }
    },
      "roles": {
        ".read": "auth !== null",
          ".write": false
      }
  }
}

I will achieve that employees with a role under 20 can only see the events where they have to work.

In my code I have a page where all events are listed. If a employee has a role under 20, there should only the events, where he has to work. My assumption was, that when I do

var ref = new Firebase("https://myid.firebaseio.com/events");
var allEvents = $firebaseArray(ref);

I will get all the events, my employee has access to. But I get an error like this:

Error: permission_denied: Client doesn't have permission to access the desired data.

Is there a way to implement my wish?

Thanks a lot!

Best wishes

Tobi

In order to run a query at a location, you must have read access to that location. That means that security rules can not be used to filter data. See http://stackoverflow.com/a/14298525/209103 — Frank van Puffelen, Jun 02 '16 at 18:26
Cross-post: https://groups.google.com/forum/#!topic/firebase-talk/o6wwT7HhX4Y — Frank van Puffelen, Jun 02 '16 at 22:05

Firebase SecurityRules and FirebaseArray

0 Answers0