Security rules with dynamic paths

1
votes

Say I have a database with the following structure:

  • Permissions
    • $pId (auto generated id from push)
      • userId
      • roomId
      • permission
  • User
    • $uId
      • Name
  • Room
    • $rId
      • Name

Is it possible to write a rule that says "allow user to modify room if there exists a permission p where p.userId = auth.uid and p.roomId = $rId and p.permission = 'admin'"?

As far as I can tell it isn't possible without nesting permission information under each room.

1
firebasefirebase-securityfirebase-authentication

1 Answers

1
votes

You'll need to change your structure a bit. Instead of using a push id to identify permissions, use a more controlled structure. For example:

"Permissions": {
  "roomId": {
    "userId": "role"
  }
}

Now you can secure the room as you want with:

{
  "rules": {
    "Room": {
      "$rId": {
        ".write": "root.child('Permissions').child($rId).child(auth.Id).val() == 'admin'"
      }
    }
  }
}

An added advantage is that you don't have to scan all the permissions if you every want to revoke a user's permission.