Firebase securityrules. How to allow access for admins stored in an array inside document?
I have a firebase firestore document where I store the admin ids in an admins array. How can I create security rules that allows reads and writes if a request userid is in that admins list.
I wonder about 3 cases:
If I have this rule how do I also allow an admin to write and read:
match /users/{uid}{ allow read,write: if request.auth != null; }Can I make a function for example isAdmin() inside the securityrules which I can use in every rule to accept admin?
Is it possible to make one (or two) rules that allows the admins to read and write everything in the database, instead of writing a rule for every collection?
I believe the answer is yes to all three questions:
- You can use the
||operator - Yes, functions are allowed!
- Yes, rules are inheritted top down
I very much so recommend these two videos:
- Security Rules! 🔑 | Get to know Cloud Firestore #6
- Intermediate topics in Firebase Security Rules - Firecasts
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isAdmin() {
let admins = get(/databases/$(database)/documents/roles/admins);
return request.auth.uid in admins.data.users;
}
function isOwner() {
return request.auth != null && request.auth.uid == userId;
}
match /{document=**} {
allow read, write: if isAdmin();
}
match /users/{userId} {
allow read, write: if isAdmin() || isOwner();
allow create: if request.auth != null;
}
}
}
This rendered success for me in my test db
If you haven't used the rules playground yet, it's a good place to get started:
- Delete all users from firebase auth console
- Is there a way to use Google Firestore client in Python like in the Pyrebase library?
- Firebase User Doesn't Have Constructor?
- Firebase realtime database structure in chat app
- node-red Firebase send notification
- android.security.KeyStoreException: Signature/MAC verification failed
- iOS and FirebaseCrashlytics
- Will preventing AD_ID permission to be merged affect Firebase functionality?
- Is it possible to use Firebase Realtime Database to implement a distributed mutex?
- How to implement role based google authentication using Firebase
- Firebase JS SDK `findNearest` function for Firestore Vector search
- RxJs Compose a list of Observables and then combine (Firebase)
- Flutter NSException: Configuration fails. It may be caused by an invalid GOOGLE_APP_ID in GoogleService-Info.plist or set in the customized options
- How to setup FastAPI comunication with firestore through Pyrebase4
- Best way to store Firebase admin private key file for AWS lambda
- Upgraded angular versions and now getting error: "The AppComponent component is not marked as standalone"
- QUOTA_EXCEEDED : Exceeded daily quota for email sign-in in spite of using my SMTP settings
- Alternate of Authentication create trigger in 2nd Gen - Cloud Functions
- firestore: PERMISSION_DENIED: Missing or insufficient permissions
- Conditional rendering based on authentication security question
- Firebase Authentication Emulator in Flutter on Android: `Logging in as [email protected] with empty reCAPTCHA token`
- FireBase notification not working on new installs
- is it safe to have 'firebase-messaging-sw.js" in public url
- Defining memory for single firebase functions
- How to show API error handle inside of react?
- firebase login fails to make request to https://auth.firebase.tools/attest
- Why is signInWithPhoneNumber from @capacitor-firebase/authentication doesn't works Ionic app for iOS?
- Separating Firebase Functions Into Self-Contained "Packages" (Not separate files - entirely separate packages)
- Firebase's Realtime Database's `startAt` isn't working as expected
- Parsing Data From Firebase In React