Ad

Firebase Realtime Database Rules - Allow Multiple User Access To List All Messages

I would like to give multiple users access to fetch a collection of "messages" they have access to in Firebase Realtime database. The database fetch would read "/messages" and return a collection of all messages the user has access to. Database structure looks like this:

"messages" : {
  "-L123456789": {
    "access": {
      "author": "user-one-id-987654"
      "assigned-user-id-1234": "assigned-user-id-1234"
    }
    "data" : {
      "theData": "Hello world!"
    }
  }
}

I have created the following rule:

{
  "rules": {
    "messages": {
      "$message_id": {
        "data": {
          ".read": "
            //if author or assigned user
            data.parent().child('access').child('author').val() === auth.uid ||
            data.parent().child('access').child(auth.uid).exists()
          ",
          ".write": "false"
      }
    }
  }
}

However, I am not able to get a collection of all messages where I am listed as author or assigned user.

What rule would allow a user listed as "author" (user-one-id-987654) or "assigned user" (assigned-user-id-1234) to get a collection of all messages they have access to by simply reading the "/messages/" database path?

I am guessing a rule in the root of "messages" might be the answer?

I have tried the below rule - it grants access to all authenticated users - but I wish to only return a collection where the user is listed as "author" or "assigned user".

{
  "rules": {
    "messages": {
      ".read": "auth.uid !== null"
    }
  }
}

Kind regards /K

Ad

Answer

Firebase server-side security rules can not be used to filter data. When you attach a listener to the database, the server checks if that listener is guaranteed to always meet the rules (no matter what the data). If it doesn't meet the rules, the listener is rejected right away.

So if you attach a listener to /messages, the server checks if you have read permission to /messages. And since you don't, it rejects the listener.

If you want to allow the user to read messages of which they're the owner you'll need two things:

  1. A query that only retrieves the messages that the user owns.
  2. Security rules that ensure only that query is allowed.

For more on this, see the Firebase documentation on securely querying data and the blog post introducing this feature.

Ad
source: stackoverflow.com
Ad