How to add rule to firebase to give a group of user ids access to a path?
I have a document in Firebase structured like so:
{
applications: {
id_1: {
feature: {
a: true,
b: false
},
users: ['user_id_1', 'user_id_2']
}
}
}
I want to add a rule that ensures only users in the users array can read and write to the application with id === id_1.
I have tried adding the following rules but still seem to be able to read and write data when logged in as user_id_3
{
"rules": {
".read": "now < 1643846400000", // 2022-2-3
".write": "now < 1643846400000", // 2022-2-3,
"applications": {
"$appId": {
".write": "data.child('users').hasChild(auth.uid)",
".read": "data.child('users').hasChild(auth.uid)"
}
}
}
}
How can I add a rule to give access to a group of users?
Solution 1:
The hasChild function used in your rules example only checks for keys that are children of the path you specified. In your case, the path is applications/$appId/users.
The data stored at applications/$appId/users is an array, so the key for each item in the array would be the item's index. This is why your rule doesn't work - you are checking for user_id_1 or user_id_2, but the keys in your data are 0 and 1. There is no current equivalent for "array contains" when writing Firebase rules.
One solution would be to change the data structure of applications/$appId/users to be an object instead of an array. For example:
{
applications: {
id_1: {
feature: {
a: true,
b: false
},
users: {
user_id_1: true,
user_id_2: true
}
}
}
}
Then using hasChild in your rules will work since the user's id is a child of applications/$appId/users.
On thing to note about your security in general: By granting write access to all of $appId, you are giving any user at applications/$appId/users the ability to edit any other user's permission. Since they are free to read/write all data at that location.