I have a document in Firebase structured like so:

{
  applications: {
    id_1: {
      feature: {
        a: true,
        b: false
      },
      users: ['user_id_1', 'user_id_2']
    }
  }
}

I want to add a rule that ensures only users in the users array can read and write to the application with id === id_1.

I have tried adding the following rules but still seem to be able to read and write data when logged in as user_id_3

{
  "rules": {
    ".read": "now < 1643846400000",  // 2022-2-3
    ".write": "now < 1643846400000",  // 2022-2-3,
    "applications": {
      "$appId": {
        ".write": "data.child('users').hasChild(auth.uid)",
        ".read": "data.child('users').hasChild(auth.uid)"
      }
    }
  }
}

How can I add a rule to give access to a group of users?

CodePudding user response：

The hasChild function used in your rules example only checks for keys that are children of the path you specified. In your case, the path is applications/$appId/users.

The data stored at applications/$appId/users is an array, so the key for each item in the array would be the item's index. This is why your rule doesn't work - you are checking for user_id_1 or user_id_2, but the keys in your data are 0 and 1. There is no current equivalent for "array contains" when writing Firebase rules.

One solution would be to change the data structure of applications/$appId/users to be an object instead of an array. For example:

{
  applications: {
    id_1: {
      feature: {
        a: true,
        b: false
      },
      users: {
        user_id_1: true,
        user_id_2: true
      }
    }
  }
}

Then using hasChild in your rules will work since the user's id is a child of applications/$appId/users.

On thing to note about your security in general: By granting write access to all of $appId, you are giving any user at applications/$appId/users the ability to edit any other user's permission. Since they are free to read/write all data at that location.