0

I'm really at a loss here, and I cannot seem to find any information at all regarding this...

I'm putting together a membership management app for my coach's jiu jitsu gym using Unity and Firebase. Gym members can check in using the app and keep track of class schedules.

I want the admins, such as my coach (the gym owner) to be able to change values of the members information, such as if a membership fee isn't paid or if a liability waiver has expired. This way the member can see on their app if they are paid in full.

I cannot, for the life of me, find any instructions as to how to achieve this, nor can I seem to simply override it in the Firebase console. Is there any method for allowing an admin user to write to other user accounts?

b2m9
  • 591
  • 2
  • 9
Brian Wiggins
  • 13
  • 2
  • You can control access to the database using realtime-database rules, creating a node /admin:true for the user who will have full access and in the rules of the folder to be fully accessed check if the user is admin=true to allow read/write access. ".write": "root.child('users').child(auth.uid).child('admin').val() === true" – Itapox Mar 29 '22 at 19:57
  • Does this answer your question? [Firebase Auth with different user types](https://stackoverflow.com/questions/47801936/firebase-auth-with-different-user-types) – b2m9 Mar 30 '22 at 07:19
  • The question isn't clear and neither is the issue you're encountering. Any user can read/write to Firebase at any time. If your coach has a Firebase user account, they can alter any data within that Firebase. [Security Rules](https://firebase.google.com/docs/database/security) prevents/allows data to be read/written; those define what a user(s) can and cannot do. What's the actual issue? Why can't the coach write data? Can you include the code? Please take a moment and review [How to create a Minimal, Reproducible Example](https://stackoverflow.com/help/minimal-reproducible-example) – Jay Mar 30 '22 at 19:31

1 Answers1

0

What you're looking for is some form of Access Control.

Option 1

As @ltapox points out: maintain a list of users with elevated rights in RTDB. You can query against those values in your Security Rules.

Option 2

Set Custom Claims in Firebase Auth. This has to be done on the server, and basically adds custom properties to the Firebase Auth object of a user. You then have access to these properties in your Security Rules (see docs here) and on the client (docs).

Of the two options, I would recommend option 2 even so it's more effort. The benefit on the client is you know what type a user is by just looking at their Auth object, without querying RTDB.

b2m9
  • 591
  • 2
  • 9