1

All of the examples show securing Firebase Database with a single user. In my application, I have several Firebase Auth users who are grouped into an account. All of the users on the account should have access to read/write to nodes grouped under the account id.

Here's a sample of how it is structured:

- users
  - [user id1]
  - [user id2]
  - [user id3]
- accounts
  - [account id1]
     - [user id1]
     - [user id2]
  - [account id2]
     - [user id3]
- things
  - [account id1]
     - thing 1
     - thing 2
  - [account id2]
     - thing 3
     - thing 4

I want only users who are a part of an account to be able to read/write "things" within their own account node. So [user id1] and [user id2] should be able to read/write only "things" within the [account id1] node. Is this possible with the Firebase Database rules?

Aaron
  • 1,454
  • 3
  • 22
  • 29
  • 2
    This is known as [group based security](https://www.google.com/search?q=site:stackoverflow.com+firebase+group+based+security) or [role based security](https://www.google.com/search?q=site:stackoverflow.com+firebase+role+based+security). – Frank van Puffelen May 10 '18 at 04:46
  • Thanks @FrankvanPuffelen - that sent me in the right direction of an answer! – Aaron May 10 '18 at 13:58

1 Answers1

1

Frank's comment on my question led me in the right direction and led me to this thread where I found the answer that I needed:

https://stackoverflow.com/a/19524810/265333

I ended up also storing the [account id] with the user:

- users
  - [user id1]
     - [account id1]
  - [user id2]
     - [account id1]
  - [user id3]
     - [account id2]

Once I did that, I could write a database rule like this:

"things":{
          "$acctid":{
            ".read": "auth != null && root.child('users').child(auth.uid).child('AccountId').val() == $acctid",
            ".write": "auth != null && root.child('users').child(auth.uid).child('AccountId').val() == $acctid"
          }
        }
Aaron
  • 1,454
  • 3
  • 22
  • 29