1

I'm trying to create an admin interface for the web application I'm developing. I'm using Angular with Angularfire2. I'm using Firebase Firestore as the database.

I wanted to see how we can implement an isAdmin flag in the users collection so that specified users can access admin features.

Can anyone shed some light on how I can approach to develop this. I know there are security rules you can set on the users document. If authenticated users are allowed to read and write to their own doc, what's stopping them from changing the isAdmin flag?

Or is this really as simple as adding a boolean key and toggling that in the admin interface?

Thanks, Walter

Improve this question

1 Answer 1

Reset to default
4

You can use custom auth claims from a custom server using the Firebase Admin SDK. Then you can incorporate these claims into your Firestore security rules rules. You can find out more about controlling access with custom claims here. In your Firestore rules, for example, you could limit read access to this document using the admin custom claim like this:

service cloud.firestore {
  match /databases/{database}/documents/adminContent {
    allow read: if request.auth.token.admin == true;
  }
}

Which could be set from a custom server or Cloud Functions for Firebase like this:

// Set admin privilege on the user corresponding to uid.
admin.auth().setCustomUserClaims(uid, {admin: true}).then(() => {
  // The new custom claims will propagate to the user's ID token the
  // next time a new one is issued.
});
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Wow Jen! Thanks for responding a big fan btw. This is very cool. I never even heard of this and it should do everything I need even roles outside of just admins.
can you more explain this phrase // The new custom claims will propagate to the user's ID token the // next time a new one is issued.
I recommend you check out the link I included for further details, but that means the next time the user's auth token is refreshed (manually in code or by signing out and in again) the user's token will include the custom claim.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.