How do I define admin permissions in Firebase Firestore? - firebase

I am making a web app but I'm a little confused as to how I should give elevated permissions for the administrators. For instance, here, I want regular users to be read-only and admins to obviously have read and write permissions. How should I go about defining that? Any insight would be very much appreciated!

You want to add custom claims to your user accounts. It is also common to add a 'role' field (or similar) to user documents in Firestore.
That alone doesn't do you any good. You also need to protect your reads and writes with Firestore security rules where you can check if the user requesting a resource has a access to the document.

Related

How to make document accessible to changing group of users in FireStore Security Rules

I've been trying to understand the differences of one-to-many and many-to-one relationships in nosql databases. I purchased a few courses on this and Firestone security rules language and have a basic grasp of it all, but I can't think of an efficient way to make a document accessible with a group of people.
I'm trying to implement an application where a user can have a profile and add users to be able to visit the profile/page as well. The only way I know how to do this is to add a field of allowed users to a document and when a user pulls the document down if their ID isn't in that field of permitted users then the profile won't display. I understand this is horribly flawed in that the user was still able to read the document and could rewrite it if permissions aren't set correctly. The only security in this method is hoping that no malicious users no the file path to where documents are stored.
Does anyone know how to properly add a group of users to be able to access a document in firebase?
So far I've implemented UID authentication in Firestone rules to ensure that a user is authenticated, but still any authenticated user can read or write any document in the app I'm demoing around with right now.
I also know you can create custom user types in firebase. This doesn't seem a valid solution for my application since I want to create a custom 'group' for each user that has a profile. Any advice would be greatly appreciated.

How public is "if request.auth.uid != null" as a security rule in Firestore?

I'm using Firestore to store my data. This includes user profile details and their current location in documents, which are stored in a collection with the below security rules:
match /profile/{w9o3948s} {
allow read, write: if request.auth.uid != null;
}
Is there any way for people to "browse" the list of documents in the collection and look through user's locations? Or can that only be done by code within in my app?
The document ID is randomly generated, so even if someone hypothetically knows a current document ID - how would they query the document?
Is there any way for people to "browse" the list of documents in the
collection and look through user's locations?
Yes, with your security rules it is totally possible.
As soon as (1) someone has the apiKey of your Firebase Project and (2) the email/password sign-in method is enabled, this person can use the Firebase Auth REST API and sign-up to your project (i.e. create a new account).
Getting the apiKey is not very difficult if you deploy an app linked to your Firebase project (Android, iOS, Web...).
One standard way to give access to only a set of users (for example, the employees of your company, or some paying subscribers to your app) is to use Custom Claims. You will find in the documentation the guidelines for setting access control with Claims.
You may be interested by this article which presents how to build, with a Callable Cloud Function, a module for allowing end-users with a specific Admin role creating other users and how to restrict access to users with one or more specific Custom Claim(s). (disclaimer, I'm the author).
Or can that (i.e. browse the list of documents in the collection) only
be done by code within in my app?
Anybody who can reverse engineer your app can find the name of your Firestore collections and, with an account created as explained above, can access the documents in those collections.
The document ID is randomly generated, so even if someone
hypothetically knows a current document ID - how would they query the
document?
As you will read in the section of the Security Rules documentation dedicated to Granular Operations, using read allows users to get one document AND to list all documents of a Collection (of a Query). So if you want to restrict the read access rights of a user to only his/her profile, you will need to have two different rules for get and list.
So, in conclusion:
Use Custom Claims: they can only be set from a "privileged server environment" through the Firebase Admin SDK. "Privileged server environment” meaning a server that you fully control or a Cloud Function in your Firebase Project.
Fine tune your Security Rules to (a) use the custom claims in the rules and (b) use granular access rights.

using Firebase as read only

I'm looking to move my json file to an database service. I've been looking at Firebase-- Firestore in particular.
What the website is, is a collection of recipes.
Users can search for recipes by category. Or they can search by typing in ingredient.
I dont need to have users signing up and logging in.
Its not overly clear to me:
If this service can be used as a 'read only' database to populate the website with what the user selects.
If the database can be secure yet not have users sign up and log in.
Can anyone direct me to documentation/tutorial on the "how to" to have the data itself secured, but available for read only and without needing users to create log-ins.
Thank you,
Lee
Yes
Yes
You need to look into security rules to make sure your public read-only data is actually read only: Just allow read: if true for each collection that you want to give access.

Making Firebase Cloud Storage URL Unguessable?

I want a group of users to access files stored in Cloud Storage, but I want to make sure they are authorized. Do the unique ids generated by Firestore create enough protection to make them unguessable?
I have my files stored using this structure in Firestore:
/projects/uidOfProject/files/uidOfFile
I made sure that only authorized users can view uidOfProject and uidOfFile using Firestore Rules.
I store that actual files in Storage here:
/projects/uidOfProject/files/uidOfFile
But, I cannot lock down this path to only the authenticated user id, because other users can access this project.
Is the fact that I have two unique ids enough to prevent a user who doesn't have access from finding these files? What are the odds of a user figuring out both the uidOfProject and uidOfFile and manipulating that file? Is there a more secure way of doing this? I know cloud functions could offer a solution, but at a cost of speed.
Do the unique ids generated by Firestore create enough protection to
make them unguessable?
Security through obscurity is NOT security. Good reference to read.
Unguessable, probably. However, due to the somewhat public nature of URLs, logfiles, information leaks, "hey check this out" favors, etc. objects that are not properly protected will be discovered.
If only users of the project can access the files, can they also list the files? If yes, curiosity might take place browsing to see what is there.

Is it possible to create a Realm where everyone has read access, but users can only modify objects that they create?

Is it possible to create a realm where everyone has read access, but users can only modify objects that they create? An example would be a forum where any user can post and all users can see all posts, but only the user who made the post can edit it or delete it.
No, it is not possible.
The permissions for Realms are global to the Realm.
To get your desired behaviour, you would need to use multiple Realms.
Each user has a Realm which they write into.
Users have write permission to their own Realms, and read permissions
to all the others.

Resources