Is Firebase Realtime Database ok for scenario with multiple user and ownership ?

[Dawid Pacholczyk]

I am building an android app and I am looking for good data storage (database). I want to avoid creating MySQL (or similar) db setting it on my own server and preparing webservice for managing data, I would also like to allow user to sync his data between his devices. That is why I am thinking about Firebase realtime database but I am not sure is ot ok for my scenario. To simplify a bit lets say that I will have 3 entities: User, Group, Product

Each user can create his own groups and products. He can attach product to a Group. Product can be attached only to one Group.

As I understand FRD (Firebase Realtime Database) is synced in realtime to all devices so every user will have data of every other user. So is there a chance to set an ownership ? For example I want to create something like "SELECT * FROM group WHERE owner = 'Dawid'"

I hope you see my point. I like firebase db because it is getting of my shoulders all things related with architecture and sync and so on, but I don't feel that this realtime sync ok for my scenario

[Andreas B]

Every user will not have data of every other user, but only the part of the database that you are listening for. Using the example here (https://firebase.google.com/docs/database/web/structure-data), if you are listening for everything under the users/alovelace node on a certain user's device, your app on that device will not have access to data under the users/ghopper node.

You would of course use user ID's as provided by Authentication, not names, and then secure the data so that only a signed in user can read/write their own data: https://firebase.google.com/docs/database/security/user-security

[Dawid Pacholczyk]

Thank you for that. I must admit that I have a different idea about this database. I though in a more traditional way that the whole DB is synced in 100%, now I see that I can sync only specific nodes. That is a fantastic news because this was my biggest problem.

Going with provided by you example, when new user registers I can create a node specific for him and listen only to that node and for example to a common node available for everything. Data of other users won't be synced. Is that correct ?

W dniu sobota, 9 września 2017 10:36:38 UTC+2 użytkownik Andreas B napisał:

[Andreas B]

Exactly,

your database with the entities User, Group, Product could then look like this:

{

  "users": {

    "Uid1": {

      "name": "Dawid",

      "ownedGroups": {

        "Gid1": true,

        "Gid2": true

      },

    },

    "Uid2": {

      "name": "Andreas",

      "ownedGroups": {

        "Gid3": true

      },

    "Uid3": { ... },

  },

  "groups": {

    "Gid1": {

      "ownerUid": "Uid1", //Group Gid1 is owned by user with Uid1

      ...

    },

    ...

  },

"products": { ... }

}

You can get a user ID string for the currently signed in user from a FirebaseAuthentication instance in your app, and then use it as part of the path to a certain node that you are trying to read, or pass it along with the date that you are trying to write. You can then add security rules to make sure that only a user with the correct user ID is allowed to read/write something. For example:

{

  "rules": {

    "users": {

      "$uid": {

        ".write": "$uid === auth.uid"

      }

    },

    "groups": {

      ".read": "data.child('ownerUid').val() === auth.uid"

  }

}

means that only a signed in user with a user ID ("auth.uid") matching the user ID used in the path ("$uid") is allowed to write something, and only the owner of a group ("data.child('ownerUid').val()") is allowed to read it. Similarly, you can also make sure that the correct user ID is present in the data that the app is trying to write (referring to the "newData" variable): https://firebase.google.com/docs/database/security/securing-data#predefined_variables

[Andreas B]

*FirebaseAuth, not FirebaseAuthentication: https://firebase.google.com/docs/auth/android/start/