Menu
The examples in the firebase documents assume manual update of firebase security rules. How can security rules be modified programmatically to support real-world collaborative applications? In the use case that I am considering, the requirement is for a user to be able to invite other users to collaborate/share selected data and to be able to grant/revoke access to the collaborators. How can this be accomplished with firebase?
386
Edit and update your rulesOpen the Firebase console and select your project. Then, select Realtime Database, Cloud Firestore or Storage from the product navigation, then click Rules to navigate to the Rules editor. Edit your rules directly in the editor.
These rules are hosted on Firebase servers and are applied automatically at all times and you can change the rules of your database in Firebase console. You just have to select your project, click on the Database section on the left and select the Rules tab.
Use the Firebase console To set up and deploy your first set of rules, open the Rules tab in the Cloud Firestore section of the Firebase console. Write your rules in the online editor, then click Publish.
1. Admin SDK bypasses security rules. As you explore security rules in depth, you will eventually discover that requests from the Firebase Admin SDK are not gated by rules. The Admin SDK is initialized with a service account, which gives the SDK full access to your data.
You actually shouldn't programmatically change your security rules. You should think of them as code and only change them at deploy time.
If what you're trying to do is change what users are actually allowed to do, you should do this by writing security rules that depend on data in your Firebase.
For example, lets say you wanted to restrict access to a piece of data to only users in a specific group. Rather than modifying the security rules everytime the group membership changed, you would simply store the group in Firebase and have your security rules check to see if the current user is in that group before allowing access.
".read" : "root.child('groups').child($groupID).child(auth.userid).exists()"
That way, anytime group membership changes, users will automatically be granted access to the data they should be allowed to see.
For a more complex example of security rules, take a look at the rules.json file in Firefeed.
77
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
