Create a gist now

Instantly share code, notes, and snippets.

@sararob /data-structure.js
Last active May 29, 2017

What would you like to do?
Download ZIP
Role-based security in Firebase
Raw
data-structure.js
/*
This example shows how you can use your data structure as a basis for
your Firebase security rules to implement role-based security. We store
each user by their Twitter uid, and use the following simplistic approach
for user roles:
0 - GUEST
10 - USER
20 - MODERATOR
99 - ADMINISTRATOR
This file shows the data structure, and the security-rules file below
shows the corresponding security rules.
*/
{
"users": {
"twitter:12345": {
"full-name": "Sara Robinson",
"username": "SRobTweets",
"role-value": 10
},
"twitter:56789": {
"full-name": "Michael 'Kato' Wulf",
"username": "katowulf",
"role-value": 20
}
....
},
"rooms": {
"public-room-1": {
"users": {
"twitter:56789": 20,
"twitter:12345": 10
}
},
"admin-only-room": {
"users": {
"twitter:56789": 20
}
}
...
},
"messages": {
"public-room-1": {
-JVwTPcWMIt0J6Gbtrqh: {
"user": "twitter:12345",
"text": "Hello everyone!"
}
...
},
"admin-only-room": {
-JVwU5tLQRPbzXo4s_a1: {
"user": "twitter:56789",
"text": "This is a top secret message."
}
...
}
}
}
Raw
security-rules.js
{
"rules": {
".read": true,
"users": {
"$user": {
//can add a message if authenticated
".write": "auth.uid === $user"
}
},
"rooms": {
"$room": {
"users": {
// can write to the users list only if ADMINISTRATOR
"$user": {
"write":"newData.parent().child(auth.uid).val() === 99"
}
}
}
},
"messages": {
"$room": {
"$message": {
//can add a message if they are a MEMBER
".write": "(!data.exists() && newData.exists() && root.child('rooms/' + $room + '/users/' + auth.uid).val() >= 10)"
}
}
}
}
}
@tommybananas

tommybananas commented Dec 8, 2014

Shouldn't root.child($room + '/users/' + auth.uid) be something like root.child('rooms/' + $room + '/users/' + auth.uid)?
@jdsingh

jdsingh commented Jul 25, 2015

@sararob Logged in user can change the role-value at /users/$user ?

Isn't this should be changeable by admin only ?
@AWolf81

AWolf81 commented Dec 29, 2015

@jdsingh Yes, I think you're right. An authenticated malicious user can change his own role to anything he likes in the browser console. With ref.child('users').child('own-uid').update({'role-value': 20}); with var ref= new Firebase('https://<app>.firebaseio.com');

The user can also look for the available roles with ref.child('users').once('value', function(snapshot) { console.log(snapshot.val()); }

I also think that should be restricted and that's possible if you're putting the user roles in a top level document. Then you can add a write rule only for admin users to edit that document.

I'm learning Firebase at the moment. I'll check this with my current demo and come back once I've got it working.
@hounvs

hounvs commented Jan 27, 2016

@AWolf81 Any progress? I'm just now learning firebase and am looking for some means of defining/assigning roles securely. I'm not sure of the proper way to organize the database
@Andersos

Andersos commented Jan 30, 2016

Would be nice to address the problem of users being able to change their own role.
@Andersos

Andersos commented Jan 30, 2016

I ended up trying this. Not sure how well it will work

type User {
  name: String,
  email:  String,
  isMember: Boolean,
}

type Role {
  isAdmin: Boolean
}

path /users/{uid} is User {
  read() { isCurrentUser(uid) || isAdmin(uid) }
  write() { isCurrentUser(uid) || isAdmin(uid) }
  validate() { this.isMember === false || isAdmin(uid) }
}

path /roles/{uid} is Role {
  read() { isAdmin(uid) }
  write() { isAdmin(uid) }
}

isCurrentUser(uid) { auth != null && auth.uid == uid }
isAdmin(uid) { auth != null && root.roles.uid.isAdmin.val() }
@Andersos

Andersos commented Jan 31, 2016

This is getting me closer to an answer http://stackoverflow.com/questions/21815229/is-there-a-way-to-restrict-registrations-in-firebase/21834842#21834842
@lazabogdan

lazabogdan commented Feb 11, 2016

@Andersos if you don't mind, what is that code you used in your previous comment? Looks interesting
@curlybracketsco

curlybracketsco commented Mar 8, 2016

I just wrote up some thoughts on what I think is a promising solution to admin / moderator roles from the Firechat app (written by the Firebase devs) - http://curlybrackets.co/blog/2016/03/07/implementing-roles-in-firebase/
@bruno2ms

bruno2ms commented Mar 21, 2016

@lazabogdan if it still matter, that code was written in Bolt.

Accordingly to Firebase "Bolt is a high level modeling and security language that lets you easily translate your application’s data structure to the low-level JSON rules needed to secure your data in Firebase."

I`m using it in some projects and its preety good.

Firebase blog post
@sebastianovide

sebastianovide commented Jul 18, 2016

are you still using it ? It is not clear if it will be maintained after Firebase 3.0
@HerRomero

HerRomero commented Nov 17, 2016

I am working on an advanced role based security rules system for an app based on this.

chat_permissions
	chat1
		admins
			user1= true
			user2 = true
		observers
			user3 = true
"chat_permissions": {
      ".read": "auth != null",
      	"$group": {
          ".write": "data.child('admins').hasChild(auth.uid) || !data.child('admins').exists() "
        	// allows to modify users permissions (as well as add or delete users) if user is admin or if there are no admins
        }
    }

After this you set all security rules based on user permissions
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment