Firebase rules based on permissions in another system

437 views
Skip to first unread message

koen van geert

unread,
May 12, 2017, 10:41:16 AM5/12/17
to Firebase Google Group

I would like to know if the firebase rules are eventually consistent across firebase itself or not. I will explain further by an example of our particular use case.


We limit access by setting specific access rules per resource for each user. 

This is a very similar set-up as the official security example. The main difference is that we have a special user for writing the access rules.

Our code block looks similar to this:

"access": {
  ".read": "<adminValidationRule>",
  ".write": "<adminValidationRule>",
  "$id": {
    ".read": "auth != null && auth.uid != null && $id == auth.uid",
    "$resourceID": {
      ...
    }
  }
}

In other parts of the hive we add rules as such:

root.child('access').child(auth.uid).child($id).child('read').val() == true

The general flow is visualised in the following sequence diagram:


We write the access rules with a set and wait with responding to the browser until the set has completed. Can we be 100% sure that when the user requests the resource from firebase in the browser the firebase rules will be running against the new access rules?

Tyler Rockwood

unread,
May 13, 2017, 5:52:50 PM5/13/17
to Firebase Google Group
Hello,

For the Firebase Realtime Database, rules are strongly consistent, and as soon as they are uploaded all current connections/operations get reevaluated using the new rules.

We also have read after write consistency, so as soon as you write data (ie get a successful response back), all future rules evaluations and reads will be evaluated with that data.

Hope that helps!

-Tyler

koen van geert

unread,
May 15, 2017, 10:27:18 AM5/15/17
to Firebase Google Group
Hello Tyler,

It was the answer I was hoping for!

Thanks,

Koen

Chris Raynor

unread,
May 15, 2017, 12:30:33 PM5/15/17
to Firebase Google Group
Hi Koen

What Tyler says is true, though I think he was referring to direct upload of rules through the REST API: https://firebase.google.com/docs/database/rest/app-management - if you're changing a value in the Realtime Database to affect rules (which it looks like you're doing) the same consistency guarantees apply and the listeners also get reevaluated, but the one addition I would add is to make sure you wait for the confirmation when writing the value to the /access/$id/$resourceId/read node - if you're using a SDK to write that, you should wait for the callback otherwise the 'latency compensation' might kick-in if you're offline and it won't have written when you think it has.

Chris

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/86aa84d4-f027-4345-9835-e758d3553151%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages