0

I am writing a module that lets a user set given properties that are viewable by all users. This all happens on the /users url.

If the user is signed in and the url is /users, then the users own profile is shown If the url is /users/{id} then that id is taken and used to query the database to get that users parameters.

My question is this - is it considered bad practice to use the users uid as the id parameter? This essentially gives a row ID away for a user's data. The only other parameter that every user has at the onset is an email address, so I am not sure what else to do.

Is there another best practice?

My rules for that collection are set so that any user can read a record, but any user can only edit their own profile. I am putting a lot of trust in that rule by giving away that ID.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Joshua Foxworth
  • 1,236
  • 1
  • 22
  • 50

1 Answers1

0

I don't think it's a bad practice to use id. It may not be SEO friendly, but not a bad practice necessarily.

You must remember that the record id is visible on the client-side anyway (assuming you are using @angular/fire library). It's important to configure the firestore security rules to disallow one user to change another user's record.

If you are building a social network where users also have a username (or @username), you might want to consider either using the username as their id so the URLs will look like /users/@<username> or users/<username>, or alternatively you can create a collection that translate from username to the user's id, which is the more popular solution based on observation.

Personally I have done both, and I have no preference for one over the other.

Segev -CJ- Shmueli
  • 1,535
  • 14
  • 15