0

I've been working on a blogging app for my personal website, and I want to only allow myself to post new blog posts, but allow all the logged in users to add comments to the posts.

Here is currently how a data looks like:

"posts": {
  "-KpZlH9PYs7mAf8avBmI" : {
    "comments" : {
      "-KpZwWIrbM3JQ2ug1c5_" : {
        "message" : "How are you today?",
        "timestamp" : 1500637173055,
        "user" : "Florin Pop"
      },
      "-KpZyxoC0OTxnDZymP-M" : {
        "message" : "I'm fine, thank you!",
        "timestamp" : 1500637814102,
        "user" : "Florin Pop"
      }
    },
    "likes" : 0,
    "text" : "asxszx",
    "timestamp" : 1500634227427,
    "title" : "qwqew"
  }
}

As you can see a post has: a list of comments, likes, text, timestamp and title.

I'm not sure if the structure is the best for what I want.

Is there way I can check if I'm the currently logged in user and only then allow for creating a new post?

Should I have the comments separately?

P.S.

Currently my database rules are:

{
  "rules": {
    ".read": true,
    ".write": "auth != null"
  }
}
Florin Pop
  • 5,105
  • 3
  • 25
  • 58

2 Answers2

1

Should I have the comments separately?

Even without knowing all the details of your app, the answer is almost certainly "yes". Having different entity types in different top-level nodes often drastically simplifies the security rules of your database.

Is there way I can check if I'm the currently logged in user.

In security rules you can check if the operation is coming from a authentication user with auth != null. But your JSON contains no UID as far as I can see, so it's not clear to me who the current user is.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Well... I have ```auth != null``` currently, but that allows all the users to create blog posts on the website. And I only want to allow myself to do that. Is there a way I can check that by email or github? – Florin Pop Jul 21 '17 at 14:49
  • I added the rules I have at the moment in the question above... That ensures that only authenticated users can add comments to the posts. – Florin Pop Jul 21 '17 at 14:51
  • To access the email address in your security rules, see https://stackoverflow.com/questions/37986097/how-can-we-guarantee-that-the-email-saved-by-the-firebase-user-is-indeed-his-own – Frank van Puffelen Jul 21 '17 at 15:26
  • and this is the best approach to check if the user is me for the blog app? – Florin Pop Jul 21 '17 at 15:44
  • Do I need to store all the users in Firebase database? – Florin Pop Jul 21 '17 at 16:04
  • Since May 2016 the email address is available in your security rules as `auth.token.email`. You don't need to store anything in the database for that. – Frank van Puffelen Jul 21 '17 at 17:00
1

I suggest you make the following changes:

In the root of the database create a new object admins, the users who can edit/create posts:

"admins": {
    "<ADMIN_1_UID>": "true",
    "<ADMIN_2_UID>": "true"
}

Then make changes to your security rules like this:

"rules": {
    "admins": {
        ".read": false,
        ".write": false /*This ensures that only from firebase console you can add data to this object*/
    },
    "posts": {
        ".read": true,
        ".write": "root.child('admins').child(auth.uid).val()" /*This ensures only admin can write post stuff*/
        "$postId": {
            "comments": {
                ".write": "auth != null" /*This overrides the above write rule and allow authenticated users to post comments*/
            }
        }
    }
}