How to write a security rule for general membership

Question

How to write a security rule for general membership

I am trying to create a security rule that allows any user in a group to read the information of any other user in the same group. In other words, the user should be able to read the user information of any user belonging to a common group.

This is what I have:

{ "rules": { "users": { "$user_id": { // Any user beloging to at least one group in common should be able to read ".read": "$user_id === auth.uid || root.child('users/' + $user_id + '/groups').hasAny(root.child('users/' + auth.uid + '/groups'))", ".write": "$user_id === auth.uid", "groups": { "$group_id": { ".validate": "root.child('groups/' + $group_id).exists() && newData.isBoolean()" } } } }, "groups": { "$group_id": { "name": { ".validate": "newData.isString() && newData.val().length > 0 && newData.val().length < 50" } } }, "members": { "$group_id": { ".read": "root.child('members/' + $group_id + '/' + auth.uid).exists()", ".validate": "root.child('groups/' + $group_id).exists()", "$user_id": { ".write": true, // Skipped for brevity ".validate": "root.child('users/' + $user_id).exists() && newData.isBoolean()" } } }, } } }

Of course, the hasAny function hasAny not part of the API. Is there a way to do this using the existing API? Are there any plans to add something like this?

+5

firebase firebase-security

Alejandro Aug 19 '14 at 2:49

source share

2 answers

Nik · Answer 1 · 2016-07-16T16:51:35+0000

To save the user’s friend list.

You will need to save the link to the user's friend list. When a user joins a group, add a member of the auth.uid group to the friends list. Then only his friends can read his profile.

 {"rules":{ // $user_id == current user auth.uid // $friend_id == his friend auth.uid // $member_id == group member auth.uid "users":{"$user_id":{ "friends":{"$friend_id":{ }}, // readable by my friends: ".read":"auth =! null && data.child('friends').hasChild(auth.uid)" }}, "groups":{"$group_id":{ "members":{"$member_id":{ }} }} }}

Nik · Answer 2 · 2016-07-16T18:00:20+0000

To support multiple profiles.

The following answer creates several profiles / profile views for each group that the user joins. Like several resumes that you send about yourself to different companies. Thus, company members may know you differently depending on the resume you sent them.

Each of the user profiles is available only to members of the assigned group.

When the auth.uid viewer is a member of the barney group, the viewer can view all users who have profile/barney recorded in his account.

 {"rules":{ // $user_id == current user auth.uid // $friend_id == his friend auth.uid // $member_id == group member auth.uid "users":{"$user_id":{ "profile":{"$group_id":{ // readable by group members: ".read":"auth =! null && root.child('groups').child($group_id).child('members').hasChild(auth.uid)" }} }}, "groups":{"$group_id":{ "members":{"$member_id":{ }} }} }}

How to write a security rule for general membership

More articles: