Array elements for Firebase authentication rules

Currently, my app utilizes Firebase in conjunction with react native. Users are able to share content with different permissions - read, copy, or modify, and can do so with specific users or all users. Due to the fact that Firebase lacks an OR function for queries, I have resorted to using an array to store user:permission combinations. This enables me to utilize the array-contains-any capability for querying purposes as shown below:

.where("access", "array-contains-any", [user_id, `${user_id}:R`, `${user_id}:C`, `${user_id}:M`, "All_R", "All_C", "All_M"])

This method facilitates querying of content owned by a particular user, shared to that user, or shared with all users, while considering R, C, or M permissions.

My next objective is to implement a similar approach for authentication rules, ensuring that only users with "M" permission can perform modifications, etc. This will involve comparing the authenticated user ID to the user IDs stored in the array. Ideally, a feature akin to "array-contains-any" and string concatenation would be required for authentication rules.

Is this achievable within Firebase's capabilities, or should I explore alternative strategies?

javascriptfirebasegoogle-cloud-firestorefirebase-security

Answer №1

After conducting multiple tests, I have managed to make a subset of the available types function properly. Below, I will outline the steps taken so that you can further develop from this point.

The initial step involves making the following query operational:

ref.where("access", "array-contains", user_id)

This task can be easily secured with the following rule:

allow list: if request.auth != null && request.auth.uid in resource.data.access;

This essentially allows anyone to read the document if their UID is included in the access array.

The subsequent step requires permitting this query:

ref.where("access", "array-contains-any", [user_id, user_id+":R"]);

When attempting this with the previous set of rules, access is denied. This occurs because we are requesting a value that the rules do not recognize.

To rectify the situation, adjust the rules as follows:

allow list: if request.auth != null && (
  request.auth.uid in resource.data.access || 
  request.auth.uid+":R" in resource.data.access
);

Now, the conditions in both the code and the rules align once more, allowing the read operation.

If we introduce another condition for the all-access rules:

ref.where("access", "array-contains-any", [user_id, user_id+":R", "All_R"]);

Similar to before, our request is denied due to having a value in the query that is unrecognized by the rules.

To resolve this, incorporate that value into our rules as well:

allow list: if request.auth != null && (
  request.auth.uid in resource.data.access || 
  request.auth.uid+":R" in resource.data.access ||
  "All:R" in resource.data.access
);

With these adjustments, the query can now proceed successfully once again.

You can now include additional conditions here, and they should function accordingly.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Issue: The component factory for GoogleCardLayout2 cannot be located

Recently I've been working on an Ionic 3 with Angular 6 template app where I encountered an issue while trying to redirect the user to another page upon click. The error message that keeps popping up is: Uncaught (in promise): Error: No component fac ...

javascripthtmlangularionic-frameworkionic3

Following a successful ajax response, the functionality of the JavaScript ceases to operate

Once an Ajax request is successfully sent, the jquery.hover() function no longer works with the new content on the page. Is there a method to refresh the script without reloading the entire div through another ajax request, in order to make it functional ...

javascriptjqueryhtmlajax

Combine Laravel with Vue.js to dynamically load additional data by simply clicking on a button

I'm facing an issue. When I click the button, it fetches the entire database instead of loading a part of it. How can I make it load only a portion of the database? For instance: I want to display 10 posts after each click. Thank you for your assista ...

javascriptphplaravelvue.js

Limiting the number of characters in a textarea using React with TypeScript

Having encountered two issues, I've developed a textarea component that not only allows users to input text but also keeps track of the number of characters they have typed. First Issue: I'm attempting to check if the length of the current input ...

javascriptreactjstypescript

Put identical objects into several arrays at the same time

This question is in relation to a previous query about arranging 3 arrays to correspond with each other. After creating my objects, I am now attempting to push values into their respective arrays based on JSON data received. let objName = ["object1", "obj ...

javascriptjqueryarraysjsonobject

The error message [jsonFlickrApi is not defined] in JavaScript is indicating that the

Upon calling a FLickrAPI, the returned xmlhttp.responseText appears as follows: jsonFlickrApi({"photos":{"page":1, "pages":200, "perpage":100, "total":"19934", "photo":[{"id":"7315581986", "owner":"62691288@N00", "secret":"504915125a", "server":"7090", ...

javascriptjsonapiflickr

"Utilize ajax and a modal window to insert a new record

Unable to retrieve values from ajax request when trying to add records using modal. (home.php) <script type="text/javascript> function saveData(){ var modsubj = $('#modalsubject').val(); var modsect = $('#modalse ...

javascriptphpjqueryajax

Determine whether an item in a RadGrid is currently in Edit mode using Javascript

Looking for a solution with a telerik RadGrid where I need to determine if a GridDataItem is in edit mode. Preferably using JavaScript. I know how to do this with VB, but I want to achieve it on the client side. Additionally, I would appreciate assistan ...

javascriptasp.netradgrid

Can I safely keep a JWT in localStorage while using ReactJS?

As I work on developing a single page application with ReactJS, one question comes to mind. I came across information indicating that using localStorage may pose security risks due to XSS vulnerabilities. However, given that React escapes all user input, ...

javascriptnode.jsreactjsjwtlocal-storage

Using jQuery to create dynamic elements that fade out with timers

My website has a simple message system that displays messages in a floating div at the top of the page. Each message is supposed to fade out after a certain amount of time, but I want users to be able to pause the fading process by hovering over the messag ...

javascriptjquerytimer

The process of JavaScript for detecting and extracting text from

After much searching, I stumbled upon this intriguing piece of JavaScript code at this location. Curiously, I was able to remove a few eggs using the following script: var eggCoordinates = []; for (var i = 0; i < 5; i++) { eggCoordinates.push(new E ...

javascript

Incorporating a div element dynamically into a cell within a datatable with JavaScript

Is there a way to insert a div inside a td element within a datatable using the given HTML code? table = $("#workLocation-table").DataTable({ data: mainArray, "columnDefs": [ { className: "details-control" , "target ...

javascriptjqueryhtmlcss

What is the reason behind the Placeholder not functioning in IE8?

Whenever I trigger the onblur event on an input of type "password", it will hide both the placeholder text and the input itself. Check out the GitHub link for this plugin ...

javascriptjqueryhtmljquery-plugins

Flames dancing - transmitting parameter through callback feature

I am working on a code where I pass a function from javascript exportManager.RegisterCallbacks(function(progress) { console.log("export prog " + progress); }, function() { ...

javascriptfirebreath

How can I retrieve the SID received in a different tab using MSAL.js?

I have successfully integrated MSAL into a client-side library, and things are going smoothly so far. My next goal is to enable Single Sign-On (SSO) by following the instructions provided in the documentation at https://learn.microsoft.com/en-us/azure/act ...

javascripttypescriptazure-active-directoryazure-ad-msalmsal.js

Is there a way to remove the sign up link from the AWS Amplify Vue authenticator?

Utilizing the amplify-authenticator component from the aws-amplify-vue library to manage authentication in my application. I am currently exploring methods to disable the "Create Account" link on the front end interface, but haven't found a direct sol ...

javascripttypescriptaws-amplifyaws-amplify-vue

Sorting and dividing an Array using Angular

Forgive me in advance if this sounds like a naive question, as Angular and Typescript are not my strong suits. I am assisting a friend with an issue that I can't seem to overcome. I have an array of players that includes details such as first name an ...

javascriptarraysangulartypescript

Tips for incorporating the camera from fbxloader into your three.js scene

I am currently utilizing fbxloader from three.js to incorporate a model into my scene. I have noticed that the most recent version of fbxloader.js (https://github.com/mrdoob/three.js/blob/master/examples/js/loaders/FBXLoader.js) has the capability to read ...

javascriptthree.js

Taking out the modal element from the document object model, causing the animation

I am currently working on a project using Next.js, Typescript, and Tailwind CSS. Within this project, I have implemented a modal component with some animations. However, I encountered an issue where the modal does not get removed from the DOM when closed, ...

javascriptreactjstypescriptnext.jstailwind-css

The URI entered is not valid: The parsing of the hostname failed. Electron Builder

Having an issue while trying to build an electron app using squirrel, even though the iconUrl is valid. Here is my package.json configuration: "squirrelWindows": { "iconUrl": "http://95.85.39.111:5005/skylog.ico" }, Error message received: An unhand ...

javascriptnode.jselectronelectron-builder