How to add rule to firebase to give a group of user ids access to a path?

Question

I have a document in Firebase structured like so:

{
  applications: {
    id_1: {
      feature: {
        a: true,
        b: false
      },
      users: ['user_id_1', 'user_id_2']
    }
  }
}

I want to add a rule that ensures only users in the users array can read and write to the application with id === id_1.

I have tried adding the following rules but still seem to be able to read and write data when logged in as user_id_3

{
  "rules": {
    ".read": "now < 1643846400000",  // 2022-2-3
    ".write": "now < 1643846400000",  // 2022-2-3,
    "applications": {
      "$appId": {
        ".write": "data.child('users').hasChild(auth.uid)",
        ".read": "data.child('users').hasChild(auth.uid)"
      }
    }
  }
}

How can I add a rule to give access to a group of users?

Answer 1

The hasChild function used in your rules example only checks for keys that are children of the path you specified. In your case, the path is applications/$appId/users.

The data stored at applications/$appId/users is an array, so the key for each item in the array would be the item's index. This is why your rule doesn't work - you are checking for user_id_1 or user_id_2, but the keys in your data are 0 and 1. There is no current equivalent for "array contains" when writing Firebase rules.

One solution would be to change the data structure of applications/$appId/users to be an object instead of an array. For example:

{
  applications: {
    id_1: {
      feature: {
        a: true,
        b: false
      },
      users: {
        user_id_1: true,
        user_id_2: true
      }
    }
  }
}

Then using hasChild in your rules will work since the user's id is a child of applications/$appId/users.

On thing to note about your security in general: By granting write access to all of $appId, you are giving any user at applications/$appId/users the ability to edit any other user's permission. Since they are free to read/write all data at that location.