right now I'm working on a project where I need to dive deeper into Firebase security rules but I am not the biggest expert in this topic and I also haven't found a solution for what I need to have online.
I have a user system in the Realtime Database which has the following structure:
users -> username -> myProfile / friends / and more...
In Cloud Firestore I have stored the username so that if someone logs in he can get his username out of the document in Cloud Firestore and read the document with the title of his username in the Realtime Database (I hope that makes sense).
Now I want to write security rules which allow the user to only read his own document (which does not have the title of his uid but of his username)...
Also, I want to allow other users to read the data in users -> username -> myProfile, but only if the username of the requesting user is contained in users -> username -> friends of the person, who is requested.
To clarify an example:
Person A logs into his account, he gets his username from Cloud Firestore and wants to access his document in the Realtime Database named by his username.
Then he wants to read the data of Person B in the RD, but he should only be allowed to do this if his username is saved into the array in the friends array in the profile of Person B.
Everybody must be able to read the friends array from everyone, but only able to read the myProfile data, if his username is contained in the friend array of the other person.
Database structure
I would be super thankful for any help! If something is unclear just ask!
Micha
Related
I am trying to create an app using firebase auth and firestore where new users can be invited via email to work on a project. The problem is, I do not know the best way to store the temporary user project permissions before they have a uid. I want the user that got invited via email to get access to the project upon opening the link sent to them.
I had tried two different ways
Having a sub collection doc for every user in the project
/project/{projectId}/users/{userId}
When a new user is invited, the userId was set to their email, having a cloud function that triggered when a new user was created to send the invite email to the user. Once the user opened the link, it deleted their user document and a cloud function ran that created a new doc with the users id now that they had once since they were authenticated.
This worked, but left a 10 second period where the user can't interact with the project because the cloud function for making the new user doc is running. Also it just seemed like a bad way to do it.
Having a single document with all of the user information
/project/{projectId}/users/users
users:{
roles: {
users_id: 'admin',
new_user_email: 'admin',
}
}
This one I was not able to get to work as firestore does not let you create a key with a period in it, but if there was a way around this, it would work as well. I had also set up firestore security rules which made it so they could only edit fields where the key was there uid or their email if they were not an editor/admin.
Consider creating an anonymous account in Firebase Authentication first, which requires no input from the user. It will receive a UID that you can use to store data for that account. Then, you can convert that account to a normal account after the signup or login succeeds.
Since you didn't say which mobile platform you're using, I linked you to the web docs, but the procedure is generally the same for each one.
Newbie to Parse Server here.
I have an app which reads data from Parse Server and displays it to users without logging them in.
I want to create another 'Admin' app which will allow ONLY ONE pre-populated admin user to login and change the data. Is this possible via Facebook login? I would prefer Facebook login because with normal (user, password) login I can't implement 2FA easily on Parse Server. Facebook login would take care of the issue since the user is already logged into Facebook using 2FA.
Is this possible? Any suggestions / pointers would be appreciated. I am coding both apps in React Native. The first app is complete.
The type of login has nothing to do with the abilities a user has. The simplest solution for your desired setup is using class-level permissions:
create a new Role object and name it accordingly, e.g. admin
add your admin user to that role
set class-level permissions for your data classes: grant public read access, limit write access to the admin role
Now every user can see all the data, but only members of the admin role are able to manipulate them. If you want you can add more users to the role to also give them write access.
BTW: all these steps can be performed in Parse Dashboard, no coding required.
EDIT
Actually you can have it even simpler, the class-level permissions can also be granted to a single user -- so no need for a role, if you really only need one admin.
I've been working with realm db in a React Native App for the last couple of days.
I'm wondering how to implement sharing of realms: https://realm.io/docs/javascript/latest/#permissionofferpermissionresponse
I understand that you have to create a permission offer and then send it to the specified user. Then that user accepts the offer and he is granted access to this realm. What I have difficulties understanding is - how do I know what realms a user has access to? Where do I keep this - I can't find information about the shared realms in the managementRealm object. Am I supposed to keep track of the realms a user has access to myself?
We have the following structure:
company -> field -> comments
Each user of the App is able to create companies & to share those companies with other users. Upon start of the App the user sees the companies he has access to:
Company 1
Company 2
Each company is a realm (database). Do I need a special realm (e.g. company_track) to keep track of realms that a user has created and has been granted access to?
So when the app starts I would provide the url to the company_track realm and from there I would read the data necessary to load the other realms.
Having worked with Realm, but not with the permissions stuff, I can't say this for certain, but it seems each user's management realm should contain permission objects representing all the realms they can access.
After reading a bit on the Xamarin docs, it says that the management realm is supposed to hold an object of type Permission for each realm the user has access to. The permission object contains the url to the realm and the access levels a user has.
There should be something similar for use in javascript as the underlying tech is the same.
Friends,
I need some help on Word API Authentication.
Scenario:
Our articles has meta data which contains who can work on the articles (User1, User2), we need to know user_name (window's id) who logged into the machine so that we can authenticate the users against article metadata without asking them to log-in each time.
Workflow:
Article Creator Process is responsible for creating the document. This process will create word document and will be transferred to the user.
Article processor is adding custom xml part into document such as User Name, Document ID etc.
Authentication Rule is simple here. If article metadata contains your name then only you can work else not.
We need to match article meta data name with user who is opening the document. So here we need to know who log-ed into the machine.
How we can get this information for Online and Offline ?
We don't want our desktop users to enter the credentials again and again. For desktop which is (90% users will use desktop) is should be pretty straight forward, get user name and match it with article metadata.
Appreciate any help on this, any alternative solutions to handle this are most welcome.
There is no way to find out the current user's username. You can get the unique ID of the user in terms of a GUID-like entity, though, so I suppose you could store the user GUID into the custom XML part instead. The GUID corresponds to the Microsoft account or OrgID identity of the user.
See https://msdn.microsoft.com/en-us/library/office/jj164035.aspx for more info, particularly the "To load a test license from your Visual Studio project" section that describes the structure of the validation token.
Alternatively, if you can trust your users (i.e., it's just identification, not authentication), have them type in their name once, and then store it in the browser's localStorage.
I'm currently using OpenID to allow users to login to my website using Google as a provider. I'm thinking about allowing users to use Facebook to login as well. When a user logs in with Google OpenID, Google sends the following data to my website about the user:
Full name
First name
Last name
ID
Gender
Language
Email address
I've done some quick searching, but I can't find a list of attributes that Facebook would provide with an Oauth login. What data does facebook provide by default, and what additional data can you ask for?
Here's the list of what I get when accessing https://graph.facebook.com/me:
id
name
first_name
last_name
link
username
about
work
education
gender
email
timezone
locale
verified
updated_time
If you look at https://developer.facebook.com they have a bunch of tools which let you poke around and test URLs.
Check out the Facebook Graph Explorer tool: https://developers.facebook.com/tools/explorer/
By default, this tool let's you query the Facebook graph with default permissions.
There's a button labelled 'get access token' which gives you the option to generate access tokens for every possible combination of Facebook permissions. You can then query the Graph with any set of permissions and see what data is available.