0

I have a realtime db all setup and working. The data structure is very simple:

  • Item some: info some: other info

  • Item 2 some: info some: other info

My rules are also super simple:

{
   "rules": {
      ".read":"auth.uid != null",
      ".write":"auth.uid != null"
   }
}

The issue (obviously) is that while I am forcing a user to be authenticated, that's all I am requiring and any user can access all the items in the db.

What I want is a way to limit a user to an item.

something like:

Item1

  • some: info
  • some: other info
  • user_1: auth.uid
  • user_2: auth.uid2

Item2

  • some: info
  • some: other info
  • user_1: auth.uid3
  • user_2: auth.uid4

I can store that data but I am not sure how to structure my rules to limit that.

My actual json looks like:

{
    "annotations": {
        "8df0309f-dc62-821e-dd65-f0ad46396937": {
            "author": "1OXVKN3Y5Z-11",
            "xfdf": "LONG STRING"
        }
    },
    "complete": false,
    "created_at": "2020-09-01T17:52:25.653Z",
    "field_values": {
        "field_name": {
            "name": "copy",
            "value": "TEsting",
            "widgetID": "e61e3abf-7cdd-7d07-daec-6c3d3a55d667"
        }
    },
    "stamp_count": 0
}

What I plan to implement is:

{
    "annotations": {
        "8df0309f-dc62-821e-dd65-f0ad46396937": {
            "author": "1OXVKN3Y5Z-11",
            "xfdf": "LONG STRING"
        }
    },
    "complete": false,
    "created_at": "2020-09-01T17:52:25.653Z",
    "field_values": {
        "field_name": {
            "name": "copy",
            "value": "TEsting",
            "widgetID": "e61e3abf-7cdd-7d07-daec-6c3d3a55d667"
        }
    },
    "stamp_count": 0,
    "users": [ "CFX4I0PTM9-11", "CFX4I0PTM9-7"]
}

One I implement that json structure, how can I setup rules to support?

TJ Sherrill
  • 2,465
  • 7
  • 50
  • 88
  • Can you show actual JSON (as text, no screenshots) instead of a pseudo-structure? It really helps when writing rules, since they are quite unforgiving when it comes to syntax. – Frank van Puffelen Sep 21 '20 at 17:40
  • @FrankvanPuffelen just updated. – TJ Sherrill Sep 21 '20 at 18:30
  • Thanks. Now how does your question relate to that JSON? Is the `author` property the UID of the user that needs access? If so, that may not be enforceable, if the `"8df0309f-dc62-821e-dd65-f0ad46396937"` in the JSON is dynamic. – Frank van Puffelen Sep 21 '20 at 20:00
  • @FrankvanPuffelen I just outlined my goal for the JSON. Once I implement it, how can the rules be structured to restrict access? – TJ Sherrill Sep 22 '20 at 18:21
  • This `users` node is not valid JSON. Since it seems crucial to what you're trying to accomplish, please make sure the it's valid and has data that matches with the rest of your JSON. – Frank van Puffelen Sep 22 '20 at 20:39
  • @FrankvanPuffelen I updated to correct my json. I am open to setting up a different structure, but this would be the simplest structure. – TJ Sherrill Sep 22 '20 at 22:09

1 Answers1

1

From reading your question and the comment thread I think your requirement is:

Allow a user to access an item if their UID is associated with that item.

In that case, you'll first need to ensure that the UIDs are in keys, as you can't search across multiple values, as your proposed users array would require. So you'd end up with:

"items": {
  "item1": {
    ...
    "users": {
      "CFX4I0PTM9-11": true, 
      "CFX4I0PTM9-7": true
    }
  }
}

Now with this structure, you can ensure a user can only update items where their UID is in the users map with rules like this:

{
  "rules": {
    "items": {
      "$itemid": {
        ".write": "data.child('users').child(auth.uid).exists()"
      }
    }
  }
}

For reading the specific item you could use a similar rule. That will allow the user to read an item once they know its complete path, and when their UID is in the users map.

But you won't be able to query this structure, as you can only index on named properties. For more on this, and the alternative data structure to still implement you use-case, see Firebase query if child of child contains a value

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807