Authorization

Once the user is authenticated, they can access the database. However, you need some control over who can access what. Everybody should not be allowed to read/write all the data present in your database. This is where Authorization comes into the picture. Firebase Database Rules allow you to control access for each user. Firebase security rules are node based and are managed by a single JSON object that you can edit on your Realtime Database console or using the Firebase CLI:

{
  "rules": {
        "users": { 
           ".read": "true",
           ".write": "false"
        }
  }
}

The preceding rules determine that all the users will be able to read the users' data but nobody will be able to write to it. Also, note that it is mandatory to have rules as the first node in your security JSON object.

Here's an example of a rule that specifies data private to a user:

{
  "rules": {
    "users": {
      "$uid": {
        ".read": "$uid === auth.uid",
        ".write": "$uid === auth.uid"
      }
    }
  }
}

Now, you might have a question like we have nested data structure, how will the rules apply to that data. To answer that question, one of the points to remember here is that the .read and .write rules cascade meaning; granting a read or write access to a parent node always grants that read/write access to all child nodes.

The rules at parent node have higher priority and hence they will override the rules defined at its child level.

Firebase rules also provide some built-in variables and functions that allow you to access Firebase authentication information, refer to other paths, and more. We will check this in detail in the coming sections of this chapter.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset