-2

I developed an app which is simple TO-DO list app. I create there my daily plan, my weekly plan and so on. TODO list is made offline. Now I would like to share my TODO list with different users of app. Like relationship MOM-KIDS (one to many) so mom can see what her kids are doing. So there is a question how to do this? I would like somehow to mark to who I would like to send my daily plan. Should I register in some cloud hosting? Probably there will be a problem with referencing to someones DB to insert other user data into someones DB (public rules are not acceptable). Allowing .read to true for "admin" (mom) users in my opinion is also bad solution cause other moms can not their kids plan. Should I send it through broadcasts or what's should be the solution in problems like this?

@Edit I changed into Firestore DB but still I'm not sure how to get permission for users stored in array of receiverIds.

enter image description here

I was trying adjust Firestore security rules : searching for a user's id in array in a document into my case but I was getting always an errors. Can somebody tell me what I am doing wrong here?

service cloud.firestore {
  match /databases/{database}/documents {
    match /user_activity/{ids} {
      allow read, write: if request.auth.uid in get(/databases/{database}/documents/user_activity/{ids}).data.receiverId
    }
  }
}

Greetings!

CallMePedro
  • 51
  • 3
  • 19
  • Or maybe is there a possiblility to create something like Server-Side-Events inside the Android app without creating Backend? – CallMePedro Sep 22 '20 at 18:42

1 Answers1

2

The best way would be using a database like Firebase Firestore database. It would be an easy and simple solution to implement.

For the data access rules, you can use Firebase security rules to enforce what you need.

For eg. in your case, the mom can read the data but not write to it which can easily be done.

Here are links to help you:

Firebase Firestore Introduction

Firebase security rules.

Firebase Firestore Codelab

Update:

Okay, so here is I quickly simulated, tried it and it worked absolutely fine!

This is the structure:

These are the rules:

rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
     match /item/{items}{
       allow write : if true;
       allow read :  if request.auth.uid in resource.data.uid;
     }
   }
}

NOTE: uid in resource.data.uid refers to the array uid in document.

And here are the screenshots of the results:

Here, the uid is the one entered in the array in database. Therefore, read allowed. enter image description here

Here, the uid is not the one in the array in database. Therefore, read not allowed.

s_o_m_m_y_e_e
  • 406
  • 4
  • 9
  • Recently I was trying to do this with Firebase Realtime Database but without success. There is no option to create relationship One to Many so other Moms can read not their kids data. Also in my previous post (https://stackoverflow.com/questions/63982106/firebase-realtime-database-allow-superusers-to-edit-subuser-data) one of delevopers from Google is not sure if this is possible. To be honest I don't believe that is not achievable in such a 'simple' case. – CallMePedro Sep 22 '20 at 18:59
  • Yes, I see . In Firebase security rules you can only hardcode the UID. If you want to have it dynamically, I can think of a solution (if it suits you). Talking about Firestore (not realtime) database, you can have an array of the UIDs of the people who can read the TODO list. And then in the security rules: check if the auth.uid is present in the list or not. For eg. the child's mom and dad can access the TODO list, so you save the UID of the mom and dad in that list. Let me know if it works out! – s_o_m_m_y_e_e Sep 22 '20 at 19:11
  • Am I getting your comment right? In Firestore I can iterate through list and on Realtime Database I cannot? If yes I am changing it without hesitation. – CallMePedro Sep 22 '20 at 19:18
  • Can you post an example of iterating through array in rules of Firestore? I think this is also not possible. – CallMePedro Sep 22 '20 at 20:04
  • I mentioned Firestore because I'm not quite sure of the features in Realtime Database. I've been working on Firestore and I doubt why one would use Realtime Database. Firestore is the best option. – s_o_m_m_y_e_e Sep 23 '20 at 01:55
  • And for your example part, I could find an answer [here](https://stackoverflow.com/questions/46835481/firestore-security-rules-searching-for-a-users-id-in-array-in-a-document). I think it would do your job and if not (in case!); you can instead of going for an array of UIDs, go for subcollections of UIDs. To check if the requested UID is present in the subcollection, there is a straightforward solution on the official page. If there's any problem, notify me! – s_o_m_m_y_e_e Sep 23 '20 at 02:29
  • Thank you for replies. I will be able to check this soultion in friday/saturday cause currently I have my PC problems. If I will spot a problem I will notify you. One again thanks :) – CallMePedro Sep 23 '20 at 18:51
  • All the best ;-) – s_o_m_m_y_e_e Sep 23 '20 at 19:21
  • Can you have a look in question? I made an edit but still got a problems – CallMePedro Sep 26 '20 at 11:40
  • Where are you getting error? If it's in your firestore online rules emulator, then you should try by a real device (it's itself written in comments of the link you provided). – s_o_m_m_y_e_e Sep 26 '20 at 11:56
  • I am getting error in Android Studio Logs that I don't have permissions – CallMePedro Sep 26 '20 at 12:01
  • Answer Updated :-D – s_o_m_m_y_e_e Sep 26 '20 at 12:32
  • So now I know where the problem is - when I get the reference to db when I am reading documents cause I have ```db.collection("user_activity").get()```. I am missing a part with autogenerated ID in 'item' path – CallMePedro Sep 26 '20 at 12:43
  • Happy to be helpful! – s_o_m_m_y_e_e Sep 26 '20 at 12:44
  • But it solves problem when I know the ID of created document before :D. Also if I store more than 2 items the error appears: Invalid collection reference. : Collection references must have an odd number of segments, but user_activity/VHMgLK5bM09wPWViwdP4 has 2. – CallMePedro Sep 26 '20 at 12:47
  • Thank for your help with the rules :) I already marked question to answered. Still a lot of work to do from my side :) – CallMePedro Sep 26 '20 at 12:48