-
Star
(142)
You must be signed in to star a gist -
Fork
(25)
You must be signed in to fork a gist
-
-
Save sararob/331760829a9dcb4be3e7 to your computer and use it in GitHub Desktop.
| /* This shows how you can authenticate users and store user data in Firebase | |
| using Firebase Simple Login with Twitter. The corresponding security rules | |
| are in the security.json file */ | |
| // Define Firebase references | |
| var ref = new Firebase("<your-firebase>.firebaseio.com/"); | |
| var usersRef = ref.child("users"); | |
| var currentUser = null; //we'll use this to see if a user is currently logged in | |
| // Call an 'auth' function when a user clicks a login button (this example uses twitter) | |
| $('#login').on("click", function () { | |
| auth.login('twitter'); | |
| }); | |
| // Authenticate users and store each user in Firebase by their Twitter UID | |
| var auth = new FirebaseSimpleLogin(ref, function (error, user) { | |
| if (error) { | |
| console.log(error); | |
| } else if (user) { | |
| usersRef.child(user.uid).set({pic: user.thirdPartyUserData.profile_image_url, username: user.username}); | |
| currentUser = user; | |
| } else { | |
| //user is logged out | |
| } | |
| }); | |
| // When a user adds a message, add the message data to Firebase | |
| $('#message-submit').on('click', function () { | |
| if (currentUser != null) { | |
| var message = $('#msgInput').val(); | |
| //Send the message to Firebase | |
| messagesRef.push({user: currentUser.uid, username: currentUser.username, message: message}); | |
| } else { | |
| alert('You must login with Twitter to post!'); | |
| } | |
| }); |
| { | |
| "rules": { | |
| ".read": true, | |
| "messages": { | |
| "$message": { | |
| ".write": "auth.uid != null && auth.uid === newData.child('user').val()", | |
| ".validate": "newData.child('message').val() != ''" | |
| } | |
| }, | |
| "users": { | |
| "$user": { | |
| ".write": "auth.uid === $user" | |
| } | |
| } | |
| } | |
| } |
@sararob Logged in user can change the role-value at /users/$user ?
Isn't this should be changeable by admin only ?
@jdsingh Yes, I think you're right. An authenticated malicious user can change his own role to anything he likes in the browser console. With ref.child('users').child('own-uid').update({'role-value': 20}); with var ref= new Firebase('https://<app>.firebaseio.com');
The user can also look for the available roles with ref.child('users').once('value', function(snapshot) { console.log(snapshot.val()); }
I also think that should be restricted and that's possible if you're putting the user roles in a top level document. Then you can add a write rule only for admin users to edit that document.
I'm learning Firebase at the moment. I'll check this with my current demo and come back once I've got it working.
@AWolf81 Any progress? I'm just now learning firebase and am looking for some means of defining/assigning roles securely. I'm not sure of the proper way to organize the database
Would be nice to address the problem of users being able to change their own role.
I ended up trying this. Not sure how well it will work
type User {
name: String,
email: String,
isMember: Boolean,
}
type Role {
isAdmin: Boolean
}
path /users/{uid} is User {
read() { isCurrentUser(uid) || isAdmin(uid) }
write() { isCurrentUser(uid) || isAdmin(uid) }
validate() { this.isMember === false || isAdmin(uid) }
}
path /roles/{uid} is Role {
read() { isAdmin(uid) }
write() { isAdmin(uid) }
}
isCurrentUser(uid) { auth != null && auth.uid == uid }
isAdmin(uid) { auth != null && root.roles.uid.isAdmin.val() }
This is getting me closer to an answer http://stackoverflow.com/questions/21815229/is-there-a-way-to-restrict-registrations-in-firebase/21834842#21834842
@Andersos if you don't mind, what is that code you used in your previous comment? Looks interesting
I just wrote up some thoughts on what I think is a promising solution to admin / moderator roles from the Firechat app (written by the Firebase devs) - http://curlybrackets.co/blog/2016/03/07/implementing-roles-in-firebase/
@lazabogdan if it still matter, that code was written in Bolt.
Accordingly to Firebase "Bolt is a high level modeling and security language that lets you easily translate your application’s data structure to the low-level JSON rules needed to secure your data in Firebase."
I`m using it in some projects and its preety good.
are you still using it ? It is not clear if it will be maintained after Firebase 3.0
I am working on an advanced role based security rules system for an app based on this.
chat_permissions
chat1
admins
user1= true
user2 = true
observers
user3 = true"chat_permissions": {
".read": "auth != null",
"$group": {
".write": "data.child('admins').hasChild(auth.uid) || !data.child('admins').exists() "
// allows to modify users permissions (as well as add or delete users) if user is admin or if there are no admins
}
}
After this you set all security rules based on user permissions
Why do you want to this ir you have the admin sdk for node?
Shouldn't root.child($room + '/users/' + auth.uid) be something like root.child('rooms/' + $room + '/users/' + auth.uid)?