How can I allow the "owners" of an Org Object in a Firebase RTB schema .read access to all "Users" that are part of the group?

0
votes

Given the following firebase real-time database schema:

{
  "Organizations": {
    "A": {
      "name": "org a",
      "users": {
        "1": true,
        "2": true,
        "3": true
      },
      "owners": {
        "1": true,
      }
    },
    "B": {
      "name": "org B",
      "users": {
        "2": true,
        "3": true
      },
      "owners": {
        "2": true,
      }
    },
    "C": {
      "name": "org C",
      "users": {
        "1": true,
        "3": true
      },
      "owners": {
        "3": true
      }
    }
  },
  "Users": {
    "1": {
      "name": "sean",
      "organizations": {
        "A": true,
        "C": true
      }
    },
    "2": {
      "name": "sean",
      "organizations": {
        "A": true,
        "B": true,
      }
    },
    "3": {
      "name": "sean",
      "avatar": "some image url",
      "email": "[email protected]"
      "organizations": {
        "A": true,
        "B": true,
        "C": true
      }
    }
  }
}

Using real-time database rules, how can one allow all owners of an Organization to see all the user data for all the users in the organization's users object.

In other words, the goal is: list all data (name, email, avatar....) of each user of an org to an owner via the RTB connection.

I can't seem to discern how to format the child,data,children etc .write or .read rules to construct a rule set to accomplish this. Thanks for the help.

1
firebasefirebase-realtime-databasefirebase-securityrules

1 Answers

0
votes

To allow reading of /Organizations/$orgId/users by owners of that org, you'd have a rule:

{
  "rules": {
    "Organizations": {
      "$orgId": {
        "users": {
          ".read": "data.parent().child('owners').child(auth.uid).exists()"
        }
      }
    }
  }
}