Getting .read and .write Security Rules To Work For Groups

Question

I am​ having difficulty writing the security rules for​ building a team based collaboration platform.

1. ​​When a user registers they should be able to create a team and invite users to that team.
2. Projects should be owned by the team​.​
3. ​Only users in that team should be able to view ​that project.​
4. ​Users should only see the teams they are a member of​.

How do I write​ .read​ security rules so the ​users only see info from teams they're in?

I should only get two teams listed because I belong to them github:8272012​.​

​Current Security Rules: ​

{
    "rules": {
        ".read": true, 
        "users": {
          "$user": {
            //can add a message if authenticated
            ".write": "auth.uid === $user" 
          }
        }, 
        "teams": {
            "$team": {
                "users": {
                    // can write to the users list only if ADMINISTRATOR
                    "$user": {
                        ".write":"newData.parent().child(auth.uid).val() === 99"
                    }
                }
            }
        },
        "projects": {
          "$team": {
            "$project": { 
                //can add a message if they are a MEMBER
                ".write": "(!data.exists() && newData.exists() && root.child('teams/' + $team + '/users/' + auth.uid).val() >= 10)"
            }
          }
        }
    }
}

I should only get two teams listed because I belong to them github:8272012.

Answer 1

The following security rules would give read and write access for a project only to users who are in that project's team (assuming you add a /projects node for each user to indicate which projects that user has access to):

"rules": {
  "projects": {
    "$project": {
      ".read": "root.child('users').child(auth.uid).child('projects').val().child($project).exists()" ,
      ".write": "root.child('users').child(auth.uid).child('projects').val().child($project).exists()" 
    }
  }
}

I can't see what data you're storing for each project, but if you store a reference to the project's team you could also use that in your security rules.