I am building a PWA (Web-App) and would like my client to be able to enter data such as new events into the Cloud Firestore, without me having to create a UI (ie. using the Firebase Console with permissions to only edit a collection).
It would also be alright to just grant permission to the whole Firestore for this user (as it's his data). I'm thinking of something like phpMyAdmin.
Would the user need a gmail-Account? I found something in the Project Settings (Users and Permissions - IAM).
Unfortunately this isn't possible in the Firebase or Google Cloud console. A user either has edit permission on Firestore as a whole, or they don't.
The console is focused on developers, and not a great fit for the type of use-case you're describing. The most common approach to such a use-case is to write a custom admin app for these users. If you don't feel like that, look at some of the existing admin panels or content management systems that build on top of Firebase out there.
Related
I have read a lot about read/write rules in the Realtime database, but I have not found any information on how to block changes from the console itself.
I am setting up a process where we have a repo for the content, and then push to the realtime database to deploy.
I would like to enforce this method and make it impossible to update it from the firebase console. Can this be achieved?
I still want people to have 'Editor' privilege of the rest of firebase though.
The built-in roles provide a collaborator similar permissions to groups of Firebase services, so they may not be flexible enough to allow this use-case.
Luckily you can also define a custom role in the Cloud console, which allows you fine grained control over what a collaborator can do.
Also see my longer answer (with screenshots) here: Firebase Storage View by certain users
I'm writing an app with Flutter and Firebase (using both Firestore, Storage and Authentication so far).
Currently the app shows content from Firebase, but now I'm trying to figure out how the best way is to implement writing/editing/removing stuff in Firebase.
The goal is to have users with admin privileges.
My question is if I can build an Admin Panel inside the client app (which would be ideal), or if that's considered bad practice and I should build an Admin Panel in another app and using Cloud Functions.
For example, currently I perform Authentication (signup/register) in the Flutter/Dart code and when registering it creates a field in Firestore isAdmin = false, which I then can manually set to true (if I want) in the Firestore console. Could this somehow be an "unsafe" way of doing this?
The goal is to have users with admin privileges
Since you are using the Authentication service you already have half of the solution: with authentication you can identify each user who is using your app.
The other part is Authorization: this is normally done with Security Rules in Firebase, both for Firestore and Cloud Storage.
To be able to authorize certain users (identified through authentication) with Admin privileges, you need to know which users have the admin role in such a way you authorized them to execute the admin functions.
One possible way to identify the admin users is to have an isAdmin flag in some user documents in Firestore, as you mention in your question. There is an example of Firestore Security Rule using this approach in the documentation.
HOWEVER, you will encounter some problem if you want to use this flag (stored in Firestore) with Security Rules for Cloud Storage. At the time of writing, it is not possible to read the value of a Firestore document in Security Rules for Cloud Storage.
The solution is to use Custom Claims. You will find all the details in the doc on how to implement it in such a way it fulfill your needs.
Can I build an Admin Panel inside the client app?
Yes, you can very well do that. As soon as your security is correctly implemented (through Authentication and Security Rules, as explained above), there is nothing that prevents you to develop an Admin panel. If a user that is not admin can access the Admin panel, he/she will not be able to perform the admin actions (i.e. writing/editing/removing Firestore or Cloud Storage data).
Moreover, with Custom Claims, you can access them in the front-end to modify the client UI based on the user's role or access level (i.e. showing the pages, buttons and menu items of the Admin module only to admin users -note however that this does not prevent someone to reverse engineer your app and execute the queries dedicated to admin users: this is why it is key to correctly implement the Authentication and Security Rules parts-). See this section in the Custom Claims doc.
Should I build an Admin Panel in another app and using Cloud
Functions?
If you don't want to over-complexify your app with some logic to hide/show the Admin panel elements (based on Custom Claims, see above) you can very well build the Admin Panel in another app.
If you have specific needs/access restrictions that cannot be implemented through standard Security Rules you could very well use some Cloud Functions to check the user is an admin and to execute the writing/editing/removing admin actions (note however that while it is quite easy to interact with Firestore from a Cloud Function, it can be a bit more tricky with Storage: using the Cloud Storage Client SDKs is much easier than interacting with Cloud Storage through Cloud Functions).
You would preferably use Callable Cloud Functions, since "with callables, Firebase Authentication and FCM tokens, when available, are automatically included in requests". (See https://firebase.google.com/docs/functions/callable).
Side Note: You may be interested by this article, which details how to to create an Admin module for managing users access and roles. (Disclaimer: I'm the author).
the idea of creating an admin panel for any flutter app
The idea is for two applications with different names and they will be linked to each other with Firebase
for more details see the video from the link
https://youtu.be/d7qoff-I8BU
I have a Firebase app, and I want to know if it's possible to restrict a Firebase Console user to access only to the "Authorizations" tab. (to CRUD users). The access must be by the Firebase (regular) Web Console
Especially, I don't want the user to see the database data via the web console. Is that possible? I've managed to give him access to the entire project, and he can do anything I can do (is an Admin).
I haven't found nothing about this in the docs / searching.
firebaser here
Collaborators on a project currently have access to the entire Firebase Console. You can limit to having read-only access, but you currently can't limit what panels they have access to.
We've heard the request before and know this would expand the usefulness of the Firebase Console. I recommend that your file a feature request, to add your vote.
I have a Firebase app, and I want to know if it's possible to restrict a Firebase Console user to access only to the "Authorizations" tab. (to CRUD users). The access must be by the Firebase (regular) Web Console
Especially, I don't want the user to see the database data via the web console. Is that possible? I've managed to give him access to the entire project, and he can do anything I can do (is an Admin).
I haven't found nothing about this in the docs / searching.
firebaser here
Collaborators on a project currently have access to the entire Firebase Console. You can limit to having read-only access, but you currently can't limit what panels they have access to.
We've heard the request before and know this would expand the usefulness of the Firebase Console. I recommend that your file a feature request, to add your vote.
I have an app that uses Firebase and I have a few people that need to be able to update data in the Firebase Dashboard. Luckily, Firebase added the feature to add collaborators. But the problem is, I don't want these collaborators to have access to every node of the JSON. Is there a way that I can assign collaborators specific access to certain nodes of the data structure or no?
Any feedback would be great. Thanks!
Collaborators on the Firebase project/app have access to all data. There is no way to limit that.
It sounds like you are looking to add application administrator. For this you'll have to develop your own application dashboard, where you add such functionality. These application administrators are then just regular users of your app and you can use Firebase security rules to determine what data they have access to.
Very similar: Stopping accidental deletion of a firebase DB via Firebase Dashboard