Security Rules - lists of data that can be read?

Question

So my application has 'conversations' that are shared between many users. 'conversations' have many 'users'.

I am able to get authors authorized for ".read" using the simulator on a specific conversation, but I'm not sure how to get a list of conversations when logged in as a user -- I can't use .on("child_added") on 'conversations', because .read is not allowed on 'conversations', only on some of their childs depending on the logged in user.

How should I proceed?

Thanks!

Answer 1

We don't recommend using security rules as a way to implement filtering of records. You can store a list of conversations under a global list, but then store the IDs of those conversations under each user that has access to them. This means that you'll also have to ensure that the list of conversations for each user is updated whenever there is a change.

/conversations
  <conversation-id-1>
  <conversation-id-2>
/users
  <user-1>
    /conversations
      <conversation-id-1>: true
  <user-2>
    /conversations
      <conversation-id-2>: true

Doing a .on("child_added") on /users/user1/conversations will give you access to all the conversations that the user has access to. Make sure to set the permissions on the top-level conversations list appropriately.

See https://www.firebase.com/blog/2013-04-12-denormalizing-is-normal.html for some more background on how to structure your data in Firebase.