Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I developed an app which is simple TO-DO list app. I create there my daily plan, my weekly plan and so on. TODO list is made offline. Now I would like to share my TODO list with different users of app. Like relationship MOM-KIDS (one to many) so mom can see what her kids are doing. So there is a question how to do this? I would like somehow to mark to who I would like to send my daily plan. Should I register in some cloud hosting? Probably there will be a problem with referencing to someones DB to insert other user data into someones DB (public rules are not acceptable). Allowing .read to true for "admin" (mom) users in my opinion is also bad solution cause other moms can not their kids plan. Should I send it through broadcasts or what's should be the solution in problems like this?
#Edit
I changed into Firestore DB but still I'm not sure how to get permission for users stored in array of receiverIds.
I was trying adjust Firestore security rules : searching for a user's id in array in a document into my case but I was getting always an errors. Can somebody tell me what I am doing wrong here?
service cloud.firestore {
match /databases/{database}/documents {
match /user_activity/{ids} {
allow read, write: if request.auth.uid in get(/databases/{database}/documents/user_activity/{ids}).data.receiverId
}
}
}
Greetings!
The best way would be using a database like Firebase Firestore database. It would be an easy and simple solution to implement.
For the data access rules, you can use Firebase security rules to enforce what you need.
For eg. in your case, the mom can read the data but not write to it which can easily be done.
Here are links to help you:
Firebase Firestore Introduction
Firebase security rules.
Firebase Firestore Codelab
Update:
Okay, so here is I quickly simulated, tried it and it worked absolutely fine!
This is the structure:
These are the rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /item/{items}{
allow write : if true;
allow read : if request.auth.uid in resource.data.uid;
}
}
}
NOTE: uid in resource.data.uid refers to the array uid in document.
And here are the screenshots of the results:
Here, the uid is the one entered in the array in database. Therefore, read allowed.
Here, the uid is not the one in the array in database. Therefore, read not allowed.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 12 months ago.
Improve this question
We have created a Android app in which we have added the features so that multiple users can create an account and login to upload or download there personal files. But it has become quite different all the files that are store to real time database of firebase through different user everyone who login get access of it to download it or read it etc. I want to creat an app so that the file upload by user will be accessed only by that same user who uploaded it. What should I do? Is there any sort of rule for it?
The easiest way to do this is by storing all images for a specific user under a path/directory with their UID in it, and then use security rules to protect access based on that path.
This is actually an example in the Firebase documentation on securing content-owner only access with these rules:
// Grants a user access to a node matching their user ID
service firebase.storage {
match /b/{bucket}/o {
// Files look like: "user/<UID>/path/to/file.txt"
match /user/{userId}/{allPaths=**} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}
}
}
I wanna ask about the concept and logically ways to give another user the privilege to access other's users' data. What I want to do exactly is like this :
Basically, collection 1 contains several Users ID (UID) from authentication, then the user will have their own data collected in collection 2 which contain the data ID.
So, it's like giving access to another user to collaborate with the data like Google Docs Apps where we can add another user to edit our documents. I've been thinking of how to do this, but still, I got stuck.
My question is, how can I possibly do this? cause from what I've read, cloud firestore don't use such a foreign key like MySQL. Thank You
haven't tried something like this but i think this approch overcomes your problem.
modify your structure according to above image. userID collection will contain userIds which are allowed to edit their parent collection.and create firestore rules according to your use to check weather the userId is allowed to edit the Collection or not.
in your case when 'user 2' will have reference to 'collection 2', he/she will try to change data. firebase rule will check if auth.userId is inside the 'collection2.UserIDs' or not and will allow according that.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I used firebase for auth in my application, after i got a user token and user email name.
And i access to the firestore to get user data by user email logged, i can get all data of user by user email
Struct of my firestore:
- email_1:
+ data_1
- email_2:
+ data_2
A big problem is anyone got my source code, they can login with their email, then do hardcode another email in source code and get data from firestore, therefore they can access any data in firestore. My question, how can an isolation be achieved?
Since you are already using Firebase authentication you should use Firebase Authentication with Firebase Security Rules.
With your Firestore structure, you should write some rules that restrict access to a user document based on the user's email (the email associated to the user account in Firebase Authentication and that corresponds, if I am not mistaken, to the email in your structure).
For example, if the documents are in a users collection, you could protect them with a read access right as follows:
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userEmail} {
allow read: if request.auth.email == userEmail;
allow write: ....
}
}
}
As detailed in the doc item referred above, the auth.token variable contains different values, like email, email_verified, etc.
You should study the documentation in order to adapt the Security Rules to your exact needs. It is also highly recommended to watch the official video about Security Rules for Firestore: https://www.youtube.com/watch?v=eW5MdE3ZcAw
This question already has an answer here:
How to query a Firestore collection using a property from a step deeper with Kotlin? [duplicate]
(1 answer)
Closed 4 years ago.
I am new to Firestore cloud and I am trying to learn about it.
I am trying to build a project and I am stuck at one point.
My Firestore database looks like this:
enter image description here
enter image description here
I have a Groups collection that has "Users List" Sub-collection" where I have "timestamp" and "user_id".
When I created a group I grabbed the user_id of the "user" that creates a group and added that in "Users List".
Now I am looking to retrieve all the "Groups"(groupName) that the "CurrentUser" is involved in, and I am having hard time to figure it out because I found that NoSQL databases are very different from SQL databases.
Would be great if someone can shed a light on this matter.
Thank you
I'm not sure about this, but I think your best bet is to add some field to collect group that each user involve in "Users" Collection using array or object to collect it since Firestore can collect array or object.
But TBH, I not sure this is the best, but it is the best I can think rightnow. Because with these you only need to query 1 time for each user that you want to get usergroup and it help you to not use lots of query to get usergroups for each user. But it will couse you some additional size. But it still fine since Firestore costing is base on both query and size for this case. Little(?) additional data is better than waste lots of query to get usergroup for only one user.
This question already has answers here:
How to get userID by user Email Firebase android?
(6 answers)
Closed 5 years ago.
I am trying to know if a user exists in Firebase (Email/Password Authentication) y only knowing the display name.
I am doing this is Android (Java).
Thank you so much!
There is no built-in support in Firebase Authentication to look up users by their display name. Given the loose definition of the meaning of the display name, it would be of limited use. Display names can't be required to be unique, since it's just a value that says how the user wants to be addressed: "When you show something from/to me, show this name next to it".
Many developers end up allowing their users to pick a username/nickname, which they then do require to be unique. If that approach make sense for your use-case too, I recommend reading some of these questions about how to accomplish this with the use of the Firebase Realtime Database:
Firebase android : make username unique
Enforcing unique usernames with Firebase simplelogin
Firebase query if child of child contains a value (a more general explanation of uniqueness in the Firebase Realtime Database)
How do you prevent duplicate user properties in Firebase?