Databases
StackOverflow2013
Postsdbo
POProper authorization rules for protected content in firebase
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POProper authorization rules for protected content in firebase
    primarykey
    data
    text
    <p><strong>Is there a best practice approach to proper authorization rules for protected content in a firebase app</strong> </p> <ul> <li>using firepad specifically</li> <li>By protected content I mean where a user creates a document and only shares it with certain other users). </li> <li>Also I need to be able to query firebase for all documents that i have access to (docs that I created and docs other users shared with me)</li> </ul> <p>Some of my research thus far:</p> <p><strong>Method 1: Secret URL</strong></p> <ul> <li><p>I need to know the URL to be able to view/edit the document</p></li> <li><p>Not real authorization, as any logged in user that has access to that URL could edit/modify it.</p></li> <li><p>Cant index all the docs i have access to</p></li> </ul> <p><strong>Method 2:</strong> Using firebase authorization rules to add users to a document and check if user is document.users before reading/writing.</p> <p>Taken From: <a href="https://stackoverflow.com/questions/17433578/protected-content-in-firebase-possible">Protected content in Firebase possible?</a></p> <pre><code>{ "documents": { "$documents_id": { // any friend can read my post ".read": "auth.id === data.child('owner').val() || root.child('users/'+data.child.owner.val()+'/users/'+auth.id).exists()", // any friend can edit my post ".write": "auth.id === data.child('owner').val() || root.child('users/'+data.child.owner.val()+'/users/'+auth.id).exists()" }, users:{ // List of user.ids that have access to this document } } } </code></pre> <p>Pros:</p> <ul> <li>Proper authorization/authentication. Only authenticated users who have been granted access can view/edit.</li> </ul> <p>Cons: </p> <ul> <li>Cannot query for all documents a user is allowed to edit (those that I own or have been shared with me) (Is this assumption correct?)</li> </ul> <p><strong>Method 3:</strong> Firebase authorization rules (method 2), plus a redundant store of users with array of document_ids each users has access to. This user store would only be used to query all the documents a user has access to. ie:</p> <pre><code>{ "documents": { "$documents_id": { // any friend can read my post ".read": "auth.id === data.child('owner').val() || root.child('users/'+data.child.owner.val()+'/users/'+auth.id).exists()", // any friend can edit my post ".write": "auth.id === data.child('owner').val() || root.child('users/'+data.child.owner.val()+'/users/'+auth.id).exists()" } }, "users":{ "$user":{ ".read": "auth.id=$user.id", ".write": "auth.id=$user.id" "$documents":{ // All the documents i have access to. This list gets ammended whenever I am granted/stripped access to a document. } } } } </code></pre> <p>Pros: </p> <ul> <li>Proper authentication/authorization </li> </ul> <p>Cons:</p> <ul> <li>Duplicate data, have to deal with synchronization issues between two data stores. This just doesnt seem like a good idea.</li> </ul> <p><strong>Method 4: Groups</strong> </p> <p>Using groups per <a href="https://stackoverflow.com/questions/14491496/granting-access-to-firebase-locations-to-a-group-of-users/14492117#14492117">Granting access to Firebase locations to a group of users</a></p> <ul> <li><p>We have a group for every document in data store</p></li> <li><p>Cant easily query firebase for all the docs a user can access</p></li> </ul> <p>Is there a better way to do this?</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCommunity
    1. USabaker
    plurals
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POProper authorization rules for protected content in firebase
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POProper authorization rules for protected content in firebase
      1. USdino
      1. VTFavorite
    3. VO
      singulars
      1. POProper authorization rules for protected content in firebase
      1. USBeni Cherniavsky-Paskin
      1. VTFavorite
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload