{
"rules": {
"documents": {
"$group_id": {
// anyone in this group can write to these documents
".write": "$group_id === auth.groupId"
}
}
}
}
match /{groupId}/{imageId} {
allow read: if resource.metadata.owner. == request.auth.token.groupId;
allow write: if request.auth.token.groupId == groupId;
}
Hi Ryan,
Thanks for reaching out. Some wonderful challenges here. Sorry it’s taken a while to get back to you. We’ve had quite a bit of internal discussion about this post. The rest of this copy is me channeling various discussions; none of this is my own wisdom. Thanks Mike M., Alfonso, Tristan, and others!
This is a hard problem we don’t have a great answer for yet. There are definitely some places we could improve. Two of the ideas being discussed and considered for future dev work are cross-feature security rules between the Database and Storage, and some notion of groups in our Auth process.
Now on to your numbered questions.
1. Yes, the proposal is correct. This is the best way to do this now.firebase.app().auth().currentUser.getToken()
, but it returns a promise which itself return the token, and our suspicion is that you may be serializing that.This should work:
firebase.app()
.auth()
.currentUser
.getToken(true) // True always fetches a fresh token, recommended.
.then(function(token) {
// Send 'token' (string) to backend directly
}).catch(function(error) {
// console.log(error)
});
3. Until we have a better answer, you will need to keep your own mapping between uid
<-> groups
in the database, and read it from your backend after the sign-in operation. You’ll also want to write to it after a sign-up.I hope that helps!
☼, Kato
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/a169e98e-fabf-40da-9ca8-8fc3f4bfa5ad%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
I understand from Chris Raynor of Firebase team, that the security rules of the DB are disregarded if Oauth2 tokens used. Does this apply to this use case? Please clarify.Source: Chirs reply to my question.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/dfb7f47a-1df3-410e-98e1-d5f732bb528a%40googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/d93d6e69-44a1-4523-bba0-a01e9db4e4d1%40googlegroups.com.
firebase.app()
.auth()
.currentUser
.getToken(true) // True always fetches a fresh token, recommended.
.then(function(token) {
// Send 'token' (string) to backend directly
console.info(token); // token is a string
JSON.stringify(token); // token is an object
}).catch(function(error) {
// console.log(error)
});
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/525fb068-ae7a-4081-ba47-3da977225c6d%40googlegroups.com.
--
You received this message because you are subscribed to a topic in the Google Groups "Firebase Google Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/firebase-talk/77i9CRlwg88/unsubscribe.
To unsubscribe from this group and all its topics, send an email to firebase-talk+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5d75a620-a6fa-42f8-aaf9-2260120b5f03%40googlegroups.com.
To unsubscribe from this group and all its topics, send an email to firebase-tal...@googlegroups.com.