I'm currently working on a web app that utilises the realtime database. Currently my security rules are set out to allow each user access to their UID path.
"$uid" :{
".read": "auth.uid === $uid",
".write": "auth.uid === $uid"
}
I am now trying to add a admin section, where a specific user has access to the entire database, is there a way to give read/write access to both a specific uid, as-well as the id of the owner of the path?
My database structure looks like the following;
Client -> UID -> Data
I've read about the admin SDKs and user groups, however all I need to do I append items to the database so I think it would be easier if I can just give access to a certain admin user?
Any advice/suggestions would be greatly appreciated!
I typically grant full access to the administrative user at a higher level (sometimes even the root) of the database. For example, say you have a /users node, I'd do:
"users": {
".read": "auth.uid === 'uidOfYourAdminUser'",
".write": "auth.uid === 'uidOfYourAdminUser'",
"$uid" :{
".read": "auth.uid === $uid",
".write": "auth.uid === $uid"
}
}
Since permission cascades down, the admin now has read/write access to all users.
There are many ways to identify the application adminstrator. For example, you could also keep a list of their UIDs in a separate node, like this:
"admins": {
"uidOfYourAdminUser": true
}
And then check it like this in the rules on /users:
root.child('admins').child(auth.uid).exists()