2

I'm working on an app where you can ask your friends to add stuff to your calendar, to plan fun days for and with you. So my main data structure is a Calendar which contains a list of Events.

/calendar/{calendarId}/events/{eventId}

And an Event has the following shape:

type Event {
  createdAt: String;
  owner: UserReference;
  description: String;
  title: String;
  isLocked: Boolean;
  nSlots: SlotNumber;
  startSlot: SlotNumber;
  startDay: DateString;
  location: Location;
  isWithOwner: Boolean;
  feedback: EventFeedback;
}

Great, users can see someones calendar and add events to it. But my users now gave me the feedback that they would sometimes like to add an event to someone's calendar where the title is visible, but the description of the event is hidden to the public.

How would I implement this with the firebase security rules? I understand that access cascades, so if the Event is visible to someone, all fields are.

A solution I considered: I could keep two lists, of public and secret events. The problem is that I still want to show secret events on the calendar, just their description should be hidden.

dedan
  • 337
  • 3
  • 15
  • If you are planning to go with 2 separate event lists you can show description and title from event path and fetch only the title from the secret list. – Hussam Nov 01 '18 at 11:30
  • Description could be a string ('public') or an {object} that contains a location/key. E.g. The secret location could be a branch of the user's timeline called `private_descriptions` that checks `"read": auth !== null && $uid === auth.uid, "write" : auth !== null && data === null` (create only). When creating the event, you `push` a description into this branch and remember the key (pushing returns the key). If you want the original text to be displayed to the creator, then push the same key into their private branch. – James Poag Nov 01 '18 at 12:00
  • In fact, you would only need the push key and the code would always check the logged in user's private description branch. This way you could 'invite' lots of people by pushing the same key to all of their private queues. – James Poag Nov 01 '18 at 12:02
  • A user can either read an entire node (and everything under it), or they can't read the node. There is no way to disallow reading of certain properties under a node. This means you'll want to put the non-public data in a separate node. For some examples of this, see https://stackoverflow.com/a/38649032, https://stackoverflow.com/a/48781781 – Frank van Puffelen Nov 01 '18 at 15:36

0 Answers0