0

Here's my db structure:

{
  users: {
    "userA": {
        //data
    },
    "userB": { 
        //data
    }
  },
  groups: {
    "groupA": {
      users: {
        "userA": true,
        "userC": true
      },
      //data
    }
  }
}

As you can see, userA and userB both have access to groupA.

I want to query a list of all groups that a user has access to:


const user = firebase.auth().currentUser
firebase
  .database()
  .ref('/groups')
  .orderByChild(`users/${user.uid}`)
  .equalTo(true)
  .once('value', (v) => {
    console.log(v.val())
  });

How can I secure my db?

Currently, my rules look like this:

{
  "rules":{
    "groups": {
      ".read": "query.orderByChild == 'users/' + auth.uid"
    }
  }
}

But I'm getting an error:

Invalid == expression: right operand must be an ordering or string literal when comparing against an ordering.

Simon Tran
  • 1,461
  • 1
  • 11
  • 28
  • You are probably looking for [Firebase rules read restriction for dynamic child nodes](https://stackoverflow.com/questions/52026712/firebase-rules-read-restriction-for-dynamic-child-nodes) – Dharmaraj Aug 25 '21 at 17:51
  • I misinterpreted the the question earlier. You maybe have to restructure the database a bit as explained in above answer. – Dharmaraj Aug 25 '21 at 17:52
  • Does this mean that I would have to save the group ids that each user has access to, and then individually query each groups based on those IDs? Isn't there a way I could query all groups and filter them using orderByChild? – Simon Tran Aug 25 '21 at 18:07
  • I'm not sure I understand what you are looking for when using `".read": "query.orderByChild == 'users/' + auth.uid"`. What would you like to secure? – Alex Mamo Aug 26 '21 at 07:51
  • I need a way to query all the groups. I use orderByChild to only get the groups that have 'users/{auth.uid}" to true. Normally, if only a single user could access each group, "users" wouldn't be an array, it would only contain the userId and I could orderByChild fine. But I need to check if the current user id exists in the group's list of users – Simon Tran Aug 26 '21 at 14:20

0 Answers0