1

I'm currently working on a web app that utilises the realtime database. Currently my security rules are set out to allow each user access to their UID path.

"$uid" :{
        ".read": "auth.uid === $uid",
        ".write": "auth.uid === $uid"
      }

I am now trying to add a admin section, where a specific user has access to the entire database, is there a way to give read/write access to both a specific uid, as-well as the id of the owner of the path?

My database structure looks like the following;

Client -> UID -> Data

I've read about the admin SDKs and user groups, however all I need to do I append items to the database so I think it would be easier if I can just give access to a certain admin user?

Any advice/suggestions would be greatly appreciated!

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84
om123
  • 39
  • 4

1 Answers1

1

I typically grant full access to the administrative user at a higher level (sometimes even the root) of the database. For example, say you have a /users node, I'd do:

"users": {
  ".read": "auth.uid === 'uidOfYourAdminUser'",
  ".write": "auth.uid === 'uidOfYourAdminUser'",
  "$uid" :{
    ".read": "auth.uid === $uid",
    ".write": "auth.uid === $uid"
  }
}

Since permission cascades down, the admin now has read/write access to all users.

There are many ways to identify the application adminstrator. For example, you could also keep a list of their UIDs in a separate node, like this:

"admins": {
  "uidOfYourAdminUser": true
}

And then check it like this in the rules on /users:

root.child('admins').child(auth.uid).exists()
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807