1

In my application I am supposed to have three kinds of roles:

  • Store: Can do whatever kind of reads and writes on anything bellow their owned key;

  • Customers: Can create their chat keys only underneath their designated store; Once a chat is created they can only push to the message child, on their own chats;

  • Attendants: Can only update chats which are designated to them, and insert under their messages tag.

The database is something similar to:

"$store_id": {
    "owner": STORE_ID,
    "chats": {
        ...
        "$chat_id": {
            "owner": COSTUMER,
            "attendant": ATTENDANT,
            "messages": {
                "$message_id": {
                    "owner": CUSTOMER_ID
                }
            }
        }
        ...
    }
}

I can't figure out how I can achieve this behavior because:

  1. If a permission is applied to a top level node, their children can't override it;
  2. If someone crack into the database with valid credentials (i.e.: customers'), they can assume whatever role they want;

How this kind of issue is managed in Firebase?

thyago stall
  • 1,654
  • 3
  • 16
  • 30
  • Did you see this answer? http://stackoverflow.com/questions/21815229/is-there-a-way-to-restrict-registrations-in-firebase/21834842#21834842 – David East Feb 05 '16 at 19:09
  • Yes. I solved the role's problem. But I still stuck on the hierarchy stuff. – thyago stall Feb 05 '16 at 19:11
  • You could try to break out your `chats/$chat_id/messages` structure to the root, so it would be `/chatMessages/$chat_id`, that way you don't have to worry about nesting – David East Feb 05 '16 at 19:18

0 Answers0