My current firebase structure looks like the following
Originally, my security looks like
{
"rules": {
"users": {
"$companyId": {
"$userId": {
".read": "auth != null",
".write": "auth != null",
}
}
}
}
}
This is all fine as I can simply get the user detail via
// get user information from database
getUserInformation(companyId: string, uid: string) {
let path = '/users/' + companyId + '/' + uid;
return this.af.database.object(path, { preserveSnapshot: true })
}
However, I want to add more security to this branch such that the user can not update the code in the front end to modify some of these entries via write operation (Read is OK). I want to have the user the ability to modify these entries based on the isAdmin flag For example,
- companyId (read: auth != null, write: isAdmin == true)
- companyName (read: auth != null, write: isAdmin == true)
- dailySubmissionLimit (read: auth != null, write: isAdmin == true)
- defaultApproverEmail (read: auth != null, write: isAdmin == true)
- email (read: auth != null, write: isAdmin == true)
- firstName (read: auth != null, write: isAdmin == true)
- id (read: auth != null, write: isAdmin == true)
- isAccountActive (read: auth != null, write: isAdmin == true)
- isAdmin (read: auth != null, write: false)
- isPasswordOutdated (read: auth != null, write: auth!=null)
- lastLoggedIn (read: auth != null, write: auth!=null)
- lastName (read: auth != null, write: isAdmin == true)
- passwordChangeDate_epoch (read: auth != null, write: auth!=null)
- registerationDate (read: auth != null, write: isAdmin == true)
- team (read: auth != null, write: isAdmin == true)
- userDefaults (read: auth != null, write: auth!=null)
Since all read = auth != null.. Initially, I thought since I am able to read all the node, I could set the security individual rule for each node as shown below
{
"rules": {
"users": {
"$companyId": {
"$userId": {
"companyId": {
".read": "auth != null",
".write": "(auth != null) && (root.child('users').child($companyId).child(auth.uid).child('isAdmin').val() == true)"
},
"isAdmin": {
".read": "auth != null",
".write": "false"
},
"lastLoggedIn": {
".read": "auth != null",
".write": "auth != null"
},
...
}
}
}
}
}
This however failed when I try to getUserInformation() because I am querying '/users/' + companyId + '/' + uid and the security rule for that particular branch is unknown
I am guessing as an alternative, I could query each node instead '/users/' + companyId + '/' + uid + '/companyId' and combine the data using forkJoin or some sort. This would be highly ineffecient as I am now calling the database nth time instead of one time.
Another approach that I can think of is to structure the data abit differently by categorising them into three branches "userCanModify", "adminCanModify", "noOnCanModify". Then set security rule for these three nodes as required. But this seems more like a hack to me as I have to re-structure my data to a very odd format. Also, I will still have to make three request to get the full picture of the user detail
{
"rules": {
"users": {
"$companyId": {
"$userId": {
"userCanModify": {
"lastLoggedIn": {
".read": "auth != null",
".write": "auth != null"
},
...
},
"adminCanModify": {
"companyId": {
".read": "auth != null",
".write": "(auth != null) && (root.child('users').child($companyId).child(auth.uid).child('isAdmin').val() == true)"
},
"companyName": {
".read": "auth != null",
".write": "(auth != null) && (root.child('users').child($companyId).child(auth.uid).child('isAdmin').val() == true)"
},
...
},
"noOneCanModify": {
"isAdmin": {
"read": true,
"write": false
},
...
}
}
}
}
}
}
Is there a much better solution out there that I am missing?