how do I implement role based access control in firebase

acole76 picture acole76 · Oct 22, 2013 · Viewed 23.3k times · Source

This is my first foray into Firebase & nosql, I come from a SQL background.

Using Simple Login Security Email/Password, how do I limit access to data in Firebase? For example, some user will have access to create a business object (users, customers, categories, etc), others won't. Is there a way to attach a list of permissions to the "auth" variable?

Answer

hiattp picture hiattp · Oct 22, 2013

There isn't a way to attach permissions directly to the auth variable (or at least that doesn't seem to be an intended strategy). I'd recommend creating a collection of users organized by auth.uid and you can keep whatever kind of permission attributes you want in there, such that your security rules might something look like this (untested):

{
  "rules": {
    ".read": true,
    "users": {
      ".write": "root.child('users').child(auth.uid).child('role').val() == 'admin'"
    }
  }
}

Where role is an attribute belonging to all objects in your users collection.

UPDATE

See comment below:

"There isn't a way to attach permissions directly to the auth variable" This changed in 2017. You can now attach custom claims to an auth profile, which are available in security rules. See bojeil's answer and the Firebase documentation for custom claims. – Frank van Puffelen