How to restrict access to data that are not assigned to a specific user?

StackOverflow https://stackoverflow.com/questions/18504272

  •  26-06-2022
  •  | 
  •  

Pregunta

Let's take the example of http://up2f.co/15euYdT where one can secure the firebase app by checking that only the creator of a comment can change a comment.

Let's assume that we need to keep in another structure the total number of comments, something like 

"stats" :{
    "comments":{
      "count":2
    },
  }

We need to protect this part from direct access from registered users.We could do something like

"stats" :{
    "$adminid":{
        "comments":{
          "count":2
        },
    },
  }

where we could only allow an admin to have access there.

To do this we would need to create a persistent connection to Firebase that would listen to changes in the comments table and would trigger an event to update the stats table.

Is this possible? If not how else can we secure data that is not assigned to a specific user?

¿Fue útil?

Solución

Since your admin process will use a secret token to log in, security rules will not apply. Thus, you can simply secure client access using:

// not applied to privileged server logging in with token
".write": false,

If, alternately, you wanted clients to increment the amount, you could use the following trick, which only allows them to increment the counter, and only allows them to add a comment if the counter has been updated. (See a working demo http://jsfiddle.net/katowulf/5ESSp/)

{
  "rules": {
    ".read": true,
    ".write": false,
    "incid": {
       "counter": {
          // this counter is set using a transaction and can only be incremented by 1
          ".write": "newData.isNumber() && ((!data.exists() && newData.val() === 1) || newData.val() === data.val()+1)"
       },
       "records": {
         "$id": {
            // this rule allows adds but no deletes or updates
            // the id must inherently be in the format rec# where # is the current value of incid/counter
            // thus, to add a record, you first create a transaction to update the counter, and then use that counter here
            // the value must be a string less than 1000 characters
            ".write": "$id >= 'rec'+root.child('incid/counter').val() && !data.exists() && newData.isString() && newData.val().length <= 1000"
         }
       }
    }
  }
}
Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top