Structuring Firebase data for security rules between user groups

3
votes

I'm using Firebase for an app with the following tree structure...

- groups
  - $group_id
     - users
        - $user_id

- users
   - $user_id
      - groups
         - $group_id

Pretty simple - users belong to groups and this relationship is stored both at a 'users' location and a 'groups' location.

I'm looking to write security rules that only allow users to read from other users' Firebase location if they belong to the same group (i.e. if any of their $group_ids match). How should I structure my data in order to ensure this and what does the actual security 'read' rule syntax look like?

1
firebasefirebase-security
Did you read auth-based security? It has a live demo and full example showing this very structure and concept. Also see how to ask and creating an mcve. - Kato
I did read the docs at that link, but they don't cover anything specific that would help with my question. I'm thinking the answer might be that there's currently no way to achieve what I'm looking to do since there's nothing that would allow more complex checks for groups of values (e.g. arrays) against other groups for at least one match. The closest thing I could find was .hasChildren() but this requires all the values passed to be present. - Alex Costantini

1 Answers

0
votes

It's a bit old, but since I was on the same path today I would like to share my finding here since it helped me a lot to get a frip ont the rules: https://firebase.googleblog.com/2016/10/group-security-in-firebase-database.html