Instantly share code, notes, and snippets.

Embed
What would you like to do?
Role-based security in Firebase
/*
This example shows how you can use your data structure as a basis for
your Firebase security rules to implement role-based security. We store
each user by their Twitter uid, and use the following simplistic approach
for user roles:
0 - GUEST
10 - USER
20 - MODERATOR
99 - ADMINISTRATOR
This file shows the data structure, and the security-rules file below
shows the corresponding security rules.
*/
{
"users": {
"twitter:12345": {
"full-name": "Sara Robinson",
"username": "SRobTweets",
"role-value": 10
},
"twitter:56789": {
"full-name": "Michael 'Kato' Wulf",
"username": "katowulf",
"role-value": 20
}
....
},
"rooms": {
"public-room-1": {
"users": {
"twitter:56789": 20,
"twitter:12345": 10
}
},
"admin-only-room": {
"users": {
"twitter:56789": 20
}
}
...
},
"messages": {
"public-room-1": {
-JVwTPcWMIt0J6Gbtrqh: {
"user": "twitter:12345",
"text": "Hello everyone!"
}
...
},
"admin-only-room": {
-JVwU5tLQRPbzXo4s_a1: {
"user": "twitter:56789",
"text": "This is a top secret message."
}
...
}
}
}
{
"rules": {
".read": true,
"users": {
"$user": {
//can add a message if authenticated
".write": "auth.uid === $user"
}
},
"rooms": {
"$room": {
"users": {
// can write to the users list only if ADMINISTRATOR
"$user": {
"write":"newData.parent().child(auth.uid).val() === 99"
}
}
}
},
"messages": {
"$room": {
"$message": {
//can add a message if they are a MEMBER
".write": "(!data.exists() && newData.exists() && root.child('rooms/' + $room + '/users/' + auth.uid).val() >= 10)"
}
}
}
}
}
@tommybananas

This comment has been minimized.

tommybananas commented Dec 8, 2014

Shouldn't root.child($room + '/users/' + auth.uid) be something like root.child('rooms/' + $room + '/users/' + auth.uid)?

@jdsingh

This comment has been minimized.

jdsingh commented Jul 25, 2015

@sararob Logged in user can change the role-value at /users/$user ?

Isn't this should be changeable by admin only ?

@AWolf81

This comment has been minimized.

AWolf81 commented Dec 29, 2015

@jdsingh Yes, I think you're right. An authenticated malicious user can change his own role to anything he likes in the browser console. With ref.child('users').child('own-uid').update({'role-value': 20}); with var ref= new Firebase('https://<app>.firebaseio.com');

The user can also look for the available roles with ref.child('users').once('value', function(snapshot) { console.log(snapshot.val()); }

I also think that should be restricted and that's possible if you're putting the user roles in a top level document. Then you can add a write rule only for admin users to edit that document.

I'm learning Firebase at the moment. I'll check this with my current demo and come back once I've got it working.

@hounvs

This comment has been minimized.

hounvs commented Jan 27, 2016

@AWolf81 Any progress? I'm just now learning firebase and am looking for some means of defining/assigning roles securely. I'm not sure of the proper way to organize the database

@Andersos

This comment has been minimized.

Andersos commented Jan 30, 2016

Would be nice to address the problem of users being able to change their own role.

@Andersos

This comment has been minimized.

Andersos commented Jan 30, 2016

I ended up trying this. Not sure how well it will work

type User {
  name: String,
  email:  String,
  isMember: Boolean,
}

type Role {
  isAdmin: Boolean
}

path /users/{uid} is User {
  read() { isCurrentUser(uid) || isAdmin(uid) }
  write() { isCurrentUser(uid) || isAdmin(uid) }
  validate() { this.isMember === false || isAdmin(uid) }
}

path /roles/{uid} is Role {
  read() { isAdmin(uid) }
  write() { isAdmin(uid) }
}

isCurrentUser(uid) { auth != null && auth.uid == uid }
isAdmin(uid) { auth != null && root.roles.uid.isAdmin.val() }
@Andersos

This comment has been minimized.

@lazabogdan

This comment has been minimized.

lazabogdan commented Feb 11, 2016

@Andersos if you don't mind, what is that code you used in your previous comment? Looks interesting

@curlybracketsco

This comment has been minimized.

curlybracketsco commented Mar 8, 2016

I just wrote up some thoughts on what I think is a promising solution to admin / moderator roles from the Firechat app (written by the Firebase devs) - http://curlybrackets.co/blog/2016/03/07/implementing-roles-in-firebase/

@bruno2ms

This comment has been minimized.

bruno2ms commented Mar 21, 2016

@lazabogdan if it still matter, that code was written in Bolt.

Accordingly to Firebase "Bolt is a high level modeling and security language that lets you easily translate your application’s data structure to the low-level JSON rules needed to secure your data in Firebase."

I`m using it in some projects and its preety good.

Firebase blog post

@sebastianovide

This comment has been minimized.

sebastianovide commented Jul 18, 2016

are you still using it ? It is not clear if it will be maintained after Firebase 3.0

@HerRomero

This comment has been minimized.

HerRomero commented Nov 17, 2016

I am working on an advanced role based security rules system for an app based on this.

chat_permissions
	chat1
		admins
			user1= true
			user2 = true
		observers
			user3 = true
"chat_permissions": {
      ".read": "auth != null",
      	"$group": {
          ".write": "data.child('admins').hasChild(auth.uid) || !data.child('admins').exists() "
        	// allows to modify users permissions (as well as add or delete users) if user is admin or if there are no admins
        }
    }   

After this you set all security rules based on user permissions

@ghost

This comment has been minimized.

ghost commented Sep 24, 2017

Why do you want to this ir you have the admin sdk for node?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment