Hacker News new | past | comments | ask | show | jobs | submit login

Very interesting. How are rules updated dynamically? Take a Flickr picture for example. I start it as public, then later decide I want to make it friends & family. How does the client side securely update those rules?



This is where Security Rules shine over ACL's or other more rigid security models. As the application developer, you have complete control over that sort of functionality since the rules are quite flexible and have direct access to your Firebase data.

So you could store a 'public' flag on every picture in your Firebase data, and then write a single rule that checks the value of that flag, and if it's true, allows anonymous access (and if it's not true, checks that the accessing user is in the picture owner's friends/family list).

Assuming your rules let the picture owner edit the 'public' flag, they'll be able to flip it on and off, granting or revoking access to non-friends/family. And since everything in Firebase is real-time, the change will instantly take effect.


Thanks, that makes sense. The rules are unchanged, but they refer to db fields, that themselves are protected by the rules.

I was critical of the firebase security situation when they launched, but this looks like a good solution indeed.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: