iegorov
9/2/2014 - 9:27 PM

Role-based security in Firebase

Role-based security in Firebase

{
    "rules": {
        ".read": true, 
        "users": {
          "$user": {
            //can add a message if authenticated
            ".write": "auth.uid === $user" 
          }
        }, 
        "rooms": {
            "$room": {
                "users": {
                    // can write to the users list only if ADMINISTRATOR
                    "$user": {
                        "write":"newData.parent().child(auth.uid).val() === 99"
                    }
                }
            }
        },
        "messages": {
          "$room": {
            "$message": { 
                //can add a message if they are a MEMBER
                ".write": "(!data.exists() && newData.exists() && root.child('rooms/' + $room + '/users/' + auth.uid).val() >= 10)"
            }
          }
        }
    }
}
/* 

This example shows how you can use your data structure as a basis for 
your Firebase security rules to implement role-based security. We store
each user by their Twitter uid, and use the following simplistic approach
for user roles:

0 - GUEST
10 - USER
20 - MODERATOR
99 - ADMINISTRATOR

This file shows the data structure, and the security-rules file below 
shows the corresponding security rules.

*/

{
    "users": {
        "twitter:12345": {
            "full-name": "Sara Robinson",
            "username": "SRobTweets",
            "role-value": 10
        },
        "twitter:56789": {
            "full-name": "Michael 'Kato' Wulf",
            "username": "katowulf",
            "role-value": 20
        }
        ....
    },
    "rooms": {
        "public-room-1": {
            "users": {
                "twitter:56789": 20,
                "twitter:12345": 10
            }
        },
        "admin-only-room": {
            "users": {
                "twitter:56789": 20
            }
        }
        ...
    },
    "messages": {
        "public-room-1": {
           -JVwTPcWMIt0J6Gbtrqh: {
                "user": "twitter:12345",
                "text": "Hello everyone!"
            }
            ...
        },
        "admin-only-room": {
            -JVwU5tLQRPbzXo4s_a1: {
                "user": "twitter:56789",
                "text": "This is a top secret message."
            }
            ...    
        }
    }
}