0
0
Firebasecloud~20 mins

Role-based access control pattern in Firebase - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Firebase RBAC Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Understanding Role Assignment in Firebase Security Rules

In Firebase Security Rules, roles are often assigned to users to control access. Which of the following best describes how roles are typically stored and checked in Firebase?

ARoles are stored as custom claims in the user's authentication token and checked in security rules.
BRoles are stored in Firestore documents and automatically enforced by Firebase without rules.
CRoles are assigned by Firebase automatically based on user email domains.
DRoles are stored in client-side local storage and verified by security rules.
Attempts:
2 left
💡 Hint

Think about where Firebase stores user-specific metadata securely for access control.

Configuration
intermediate
2:00remaining
Firebase Security Rule for Admin Role Access

Given a Firebase Firestore collection named projects, which security rule snippet correctly allows only users with the admin role to read documents?

Firebase
match /projects/{projectId} {
  allow read: if request.auth.token.role == 'admin';
}
Aallow read: if request.auth.token.role === 'admin';
Ballow read: if request.auth.role == 'admin';
Callow read: if request.auth.token.roles.includes('admin');
Dallow read: if request.auth.token.role == 'admin';
Attempts:
2 left
💡 Hint

Check the exact property name and syntax used in Firebase security rules for custom claims.

Architecture
advanced
3:00remaining
Designing Role-based Access Control with Firebase and Firestore

You want to implement a role-based access control system where users can have multiple roles stored in Firestore under users/{userId}/roles as an array. Which approach is best to enforce access control in Firebase Security Rules?

AStore roles in client-side code and pass them as request parameters to security rules.
BStore roles as custom claims in the auth token and check them directly in security rules.
CRead the roles array from Firestore in security rules using <code>get()</code> and check if it contains the required role.
DUse Firebase Functions to check roles and bypass security rules.
Attempts:
2 left
💡 Hint

Consider performance and security best practices for Firebase Security Rules.

security
advanced
2:30remaining
Preventing Privilege Escalation in Firebase RBAC

Which practice helps prevent users from escalating their privileges by modifying their roles in Firebase?

AOnly allow role changes through secure backend functions with admin privileges.
BStore roles in client-side local storage and trust the client to enforce them.
CAllow users to update their roles directly in Firestore documents.
DUse Firestore rules to allow anyone to write to the roles collection.
Attempts:
2 left
💡 Hint

Think about who should have permission to change roles and how to enforce it securely.

service_behavior
expert
3:00remaining
Effect of Custom Claims Update on Firebase Auth Tokens

After updating a user's custom claims to add a new role, what must happen for the new role to be recognized in Firebase Security Rules?

AThe Firestore database must be manually refreshed to sync roles.
BThe new claims are immediately available without any user action.
CThe user must sign out and sign back in to refresh their ID token with updated claims.
DThe client must call a special Firebase API to refresh claims automatically.
Attempts:
2 left
💡 Hint

Consider how Firebase ID tokens cache custom claims and when they update.