Add security rules - Githubissues

StanfordBDHG / ENGAGE-HF-Firebase

Firebase cloud hosting infrastructure for the ENGAGE-HF project.

MIT License

0 stars 0 forks source link

Add security rules #7

Open pauljohanneskraft opened 2 weeks ago

pauljohanneskraft commented 2 weeks ago

Problem

Currently, the security rules do not consider all the information we have specified in the data scheme document.

Solution

Update the rules so that each clinician can only access patient data of the same organization and each patient can only access their own information. Top-level data may be available for every user (e.g. /medications/$medicationId$)

Additional context

No response

Code of Conduct

[X] I agree to follow this project's Code of Conduct and Contributing Guidelines

PSchmiedmayer commented 1 week ago

We would need to attach a role to a clinician and we need to define the types of roles and what they should access.

We should explore this in combination with having cloud functions that observe clinician roles and changes in roles -> permissions mappings and store these as claims in Firebase Auth (https://firebase.google.com/docs/auth/admin/custom-claims).