'How to fetch all resources from Firebase database with nested security rules?
In firebase, is it possible to configure a rule so that when a parent resource is fetched, it only returns child items that the user as access to?
I have a data structure like so:
{
application_access_request: {
app_id_1: {
access_key_1: {
email: "[email protected]"
},
},
app_id_2: {
access_key_2: {
email: [email protected]
},
}
}
}
And then I have rules like so:
{
"application_access_request": {
"$appId": {
"$accessId": {
".read": "data.child($accessId).child('email').val() === auth.token.email",
},
}
},
}
As a user logged in with email [email protected],
When I request all resources from application_access_request/,
Then I want app_id_1 and it's children to be accessable / returned to the user,
Is it possible to allow reading of all application_access_request but only return apps that the auth'd user has access to?
Solution 1:[1]
No, security rules cannot be used to selectively return information (see rules are not filters). You may, however, be able to use querying to solve this use case. For example, if your data was structured:
{
application_access_request: {
app1: {
access_key: "[email protected]"
},
app2: {
access_key: "[email protected]"
}
}
}
You can use query-based rules to limit querying:
"application_access_request": {
".read": "auth.uid != null && auth.token.email_verified &&
query.orderByChild == 'access_key' &&
query.equalTo == auth.token.email"
}
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Michael Bleigh |