How can I allow sharing of a sub-document in Realtime Database Rules?

Question

I have a User that creates experiments and can also invite other Users to edit those experiments.

The path used in the Realtime Database is:

/users/{$user_id}/${experiment_id}/   

currently under this path, i have a sharedWith array that contains the user_ids of the invitees.

I have the app working but I would like to use the database Rules to only allow the owner or the invitees to read or write. Unfortunately, the Rules don't allow iterating over an array to look for user ids. Is there any way around this?

Here is a sample of one of the user data. Note the user_id inside the sharedWith array.

Answer 1

I'd recommend storing a map with user UIDs as key as shown below:

{
  title: "",
  sharedWith: {
    user_id1: true,
    user_id2: true
  }
}

You can now check if node with user_id1 (or UID of requesting user) exists and is set to true.

{
  "rules": {
    "users": {
      "$owner_id": {
        "$exp_id": {
          ".read": "data.child('sharedWith').child(auth.uid).val() === true"        
        }
      }
    }
  }
}