Locking down read/write access for a specific node based on user

0
votes

I know there have been similar issues to mine, but I'm still a bit stumped on how to secure my Firebase properly.

First, I'm using EmberFire. Second, I'm using Firebase Email/Password authentication for account management. Each of my accounts represents a business. I'd like it so that the currently authenticated business can only access his/her data. Initially, my thinking was to use the following data structure:

+ businesses
    - uid-1
    - uid-2
    - uid-3

...where uid is what's assigned to the user by Firebase email/password authentication. I would then use the following security rules:

{
  "rules": {
    "businesses": {
      "$user_id": {
        ".read": "$user_id === auth.uid",
        ".write": "$user_id === auth.uid"
      }
    }
  }
}

With all that said, two questions:

  1. Will it work? (Pretty sure it will based on this post)
  2. If so, how can I get EmberFire to allow me to use my own id rather than what's generated by push(), which is used by EmberFire under the hood according to the docs.

UPDATE With regards to EmberFire, here's the code I'm using to save my model to Firebase:

var business = _this.store.createRecord('business', {
    uid: userData.uid,
    businessName: _this.get('businessName'),
    firstName: _this.get('firstName'),
    lastName: _this.get('lastName')
});

business.save().then(function(success) {
    flashMessages.success('Your account has been created! Please login below.');
    _this.transitionToRoute('login');
}, function(error) {
    flashMessages.warning(error);
});

What I'm seeing is that the root node of these created objects ends up being a unique timestamp ID generated by Firebase. To solve my issue, I'd like to override that to the auth.uid.

Thanks in advance! James

1
javascriptfirebasefirebase-securityemberfire
Thanks, Frank. I updated my original post to show the EmberFire-related code I'm using to save to Firebase. As noted, the root notes of those objects end up being Firebase IDs generated by push() under the hood, so the question is: can I override it so I can use auth.uid as the root node for what I save?jdixon04
@FrankvanPuffelen, the solution below worked to fix my EmberFire issue, but I still cant get the permissioning to work properly using the schema above. Here's a JS bin that illustrates what I'm trying to do: jsbin.com/woyaculata/1/edit?html,js,console,output . Again, appreciate all the help.jdixon04
@FrankvanPuffelen the questions were related. I wasn't going to worry about needing to override the key in EmberFire if the proposed security rules I mentioned above wouldn't have worked. And FYI, in response to your first reply, I did try the rules initially, but ran into problems, which is why I posted in the first place. That said, if you don't want to help, that's fine -- just don't reply. It would have been better than your snippy response.jdixon04

1 Answers

2
votes

You can specify id when doing the createRecord. The id will become the firebase key:

var record = this.store.createRecord('business', {
  id: userData.uid,
  businessName: this.get('businessName'),
  firstName: this.get('firstName'),
  lastName: this.get('lastName')
});

You will probably want to make sure that the user record doesn't already exist before creating it, so you'll need a "find or create" flow. There are some gotchas when doing this kind of flow in Ember Data. An example workaround is outlined in the comments here