Skip to content

Instantly share code, notes, and snippets.

@asciimike
Created December 5, 2016 08:01
Show Gist options
  • Save asciimike/405c9bf6a1a48a8c17a61b6ff387eaae to your computer and use it in GitHub Desktop.
Save asciimike/405c9bf6a1a48a8c17a61b6ff387eaae to your computer and use it in GitHub Desktop.
Firebase Storage "serverless" group permissions
/*
You can create a Role Based Access Control system by storing ownership and access membership in the custom metadata of the file.
The proposed solution uses the existing "owner" "editor" and "reader" permissions.
If you store a user and the associated permission as a key/value pair in the file metadata:
// custom file metadata looks like:
metadata: {
"user:1234": "owner",
"user:5678": "editor",
"user:0912": "reader"
}
You can write rules as follows:
*/
function isMember(group) {
return resource.metadata[request.auth.uid] == group;
}
service firebase.storage {
match /files/{fileName} {
allow read: if isMember("owner")
|| isMember("editor")
|| isMember("reader");
allow write: if isMember("owner")
// prevents editors from changing custom metadata
|| (isMember("editor") && request.resource.metadata == resource.metadata);
}
}
/*
The owner would then have to add the new people to each file:
1) a user could write to the "file's access queue" in the DB
2) owners can listen for new requests
3) owners can then approve/deny the request by updating the file metadata accordingly
This strategy also means that the owner can easily revoke the permission without user approval
*/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment