Stack Overflow Asked by Niko Konovalov on December 5, 2021
Can I give users admin privileges with just saving them to the database like so:
export const newUser = (uid) => {
firebase
.database()
.ref("users/" + uid)
.set(
{
admin: false,
isProfileFilled: false,
phone: "",
credit: 0,
injuries: "",
},
function (error) {
if (error) {
console.log("error saving to db");
} else {
console.log("saved successfully");
}
}
);
};
My end goal is to be able to grant users admin access manually from the firebase console.
Then when the user logs In check if he is an admin,
if true show then all pieces of UI,
if false the user should be verified by the admin until then show them a waiting page,
When verified the normal user show see specific pieces of UI.
Also, the admin should be able to modify users (delete them or change their credit value for example)
Can I achieve all of the above without using Firebase Admin SDK, just simply setting and updating the users in the database?
What are the best practices to achieve my goal?
Sure thing, it just requires a few steps:
Create a /admins
node in your database, under which you'll store the UIDs for the application administrators. The security rules for this node should allow everyone to read it, and no one to write it.
{
"rules": {
"admins": {
".read": true,
".write": false
}
}
}
If you want to be more restrictive on who can read this data, you can even lock the reads down so that a user can only read their own administrator status node.
{
"rules": {
"admins": {
"$uid": {
".read": "auth.uid == $uid"
},
".write": false
}
}
}
When you see a user in the Firebase console who should be an application administrator, add their UID to the /admins
node.
In your application, read /admins/$UID
for the current user. If there is a value there, the user knows they're an application administrator and you can show the administrative UI.
In the rest of your database security rules, you can check to allow certain operations only for application administrators. For example, say that you want any user to read their own profile, but administrators to be able to read all profiles, that could be:
{
"rules": {
"admins": {
"$uid": {
".read": "auth.uid == $uid"
},
".write": false
},
"users": {
".read": "root.child('admins').child(auth.uid).exists()",
"$uid": {
".read": "auth.uid == $uid",
".write": "auth.uid == $uid"
},
}
}
}
Answered by Frank van Puffelen on December 5, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP