TransWikia.com

How to set up Firebase Realtime Database to allow developer to mark admins in the console

Stack Overflow Asked by Niko Konovalov on December 5, 2021

Can I give users admin privileges with just saving them to the database like so:

export const newUser = (uid) => {
  firebase
    .database()
    .ref("users/" + uid)
    .set(
      {
        admin: false,
        isProfileFilled: false,
        phone: "",
        credit: 0,
        injuries: "",
      },
      function (error) {
        if (error) {
          console.log("error saving to db");
        } else {
          console.log("saved successfully");
        }
      }
    );
};

My end goal is to be able to grant users admin access manually from the firebase console.
Then when the user logs In check if he is an admin,
if true show then all pieces of UI,
if false the user should be verified by the admin until then show them a waiting page,
When verified the normal user show see specific pieces of UI.
Also, the admin should be able to modify users (delete them or change their credit value for example)

Can I achieve all of the above without using Firebase Admin SDK, just simply setting and updating the users in the database?
What are the best practices to achieve my goal?

One Answer

Sure thing, it just requires a few steps:

  1. Create a /admins node in your database, under which you'll store the UIDs for the application administrators. The security rules for this node should allow everyone to read it, and no one to write it.

    {
      "rules": {
        "admins": {
          ".read": true,
          ".write": false
        }
      }
    }
    

    If you want to be more restrictive on who can read this data, you can even lock the reads down so that a user can only read their own administrator status node.

    {
      "rules": {
        "admins": {
          "$uid": {
            ".read": "auth.uid == $uid"
          },
          ".write": false
        }
      }
    }
    
  2. When you see a user in the Firebase console who should be an application administrator, add their UID to the /admins node.

  3. In your application, read /admins/$UID for the current user. If there is a value there, the user knows they're an application administrator and you can show the administrative UI.

  4. In the rest of your database security rules, you can check to allow certain operations only for application administrators. For example, say that you want any user to read their own profile, but administrators to be able to read all profiles, that could be:

    {
      "rules": {
        "admins": {
          "$uid": {
            ".read": "auth.uid == $uid"
          },
          ".write": false
        },
        "users": {
          ".read": "root.child('admins').child(auth.uid).exists()",
          "$uid": {
            ".read": "auth.uid == $uid",
            ".write": "auth.uid == $uid"
          },
        }
      }
    }
    

Answered by Frank van Puffelen on December 5, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP