Firestore Blocked users rule

Question

I've been searching for an answer for this for a time now,

Simply I have an Android app, this app allows users to write or read to/from the database which is Firestore

I have a collection named BlockList which meant to hold the users uid as the document name and a field value named userUid, the purpose of this collection is to deny any write "only" request for users who misbehave in the application. In other words, I am looking for firestore rule to allow the users in BlockList to read only what's shared in the application and deny all the write operations they try to make.

I've already tested these rules but it doesn't work, it doesn't allow any read or write operation even if the user is not on the BlockList

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
   function isBlackListed() {
      return exists(/databases/$(database)/BlockList/$(request.auth.uid))
    }
    match /{document=**} {
      allow read, write: if request.auth != null && !isBlackListed();
    }
  }
}


----------


rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
         allow write: if !exists(/databases/$(database)/documents/BlockList/$(request.auth.uid))

  }
}

Update

Thanks to Marc's answer I managed to get everything right Working rule

 match /Posts/{document=**}{
      allow write :if !exists(/databases/$(database)/documents/BlockList/$(request.auth.uid))
      allow read :if request.auth.uid != null;
}

Answer 1

dont know if i get your problem right and it would have been helpful to have seen your rules which you tried so far, but i think this should work:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      // Make sure a write to all documents is only allowed when
      // the current user has no document in BlockList collection
      allow write: if !exists(/databases/$(database)/documents/BlockList/$(request.auth.uid))
    }
  }
}

I have tested this with my firestore instance and it looks ok to me. Of course you most likely will need to specify the documents better instead of the wildcard match.

It doesnt matter what data you have in the BlockList documents as long there is a document with the userUid as doc name in the BlockList collection.

I have created two documents (which represent users) in the BlockList collection.

Now i try to write to my tournaments table which has the mentioned security.rule via Simulator "Update" method (with auth credentials supplied of course)

When removing the user "8Zvq1fpWl2S0h1t7bIxNoxDcucn1" from BlockList and use Simulator again, i get:

Summary: to me it looks working quite well.