Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Firestore rules on object data type

Tags:

firebase

google-cloud-firestore

firebase-security

The Database have a collection "Collection" and each document inside the collection have an object "members" which contains the "uid" of users who will have access to the document.

Collection--->document-->members = {"BZntnJO2PVS8OZ9wctwHiyxBytc2": true}

I have tried many different types of rules but none of these rules seems to work

service cloud.firestore {
  match /databases/{database}/documents {
  match /collection/{documentId} {
         allow read: ****
 }
}

1)

allow read: if get(/databases/$(database)/documents/collection/$(documentId)).members[request.auth.uid] != null

2)

allow read: if resource.data.members[request.auth.uid] != null

3)

allow read: resource.members[request.auth.uid] != null

4)

allow read: if request.resource.data.members[request.auth.uid] != null

5)

allow read: request.resource.members[request.auth.uid] != null

Can it be a Firestore bug?

like image 845
Alessio Koci Avatar asked Nov 30 '17 12:11

Alessio Koci

1 Answers

You need to access the data property to get at any user-created properties, so rules 1, 3, and 5 won't work.

request.resource generally refers to the data that you're sending down to the database, typically in the case of a write operation, so rule #4 won't work, because request.resource.data will probably be empty in the case of a read.

Rule #2 does look right, but keep in mind this will only work in the case of fetching a single document. Queries are a little trickier.

Specifically, if you're running a general "Get every document in my collection" kind of query, Cloud Firestore doesn't have the time to search through every record in your database to ensure that your user has access, so it will reject this query. Instead, you'd need to run a query where Cloud Firestore can "prove" that all documents you'd retrieve will be valid. In your case, for example, you would want to make sure your query is something like "Get every document in my collection where members.(userID) != null". Cloud Firestore rules can then compare your query with its rules and feel satisfied that you'll only get documents you have access to.

like image 193
Todd Kerpelman Avatar answered Oct 11 '22 02:10

Todd Kerpelman
Sign in to Comment

Related questions

How do I access Firebase tokens outside of the FirebaseInstanceIdService?
AngularFire $add operation cause the browser to freeze
How to get external data without CORS headers with Firebase hosted webapp?
How to get database value not related to the event in Cloud Functions for Firebase?
The script resource is behind a redirect, which is disallowed
React-native, Firebase network error while trying to log in
Firebase PhoneAuthentication working in debug build but not working in the release build
Is FirebaseUser.getUid() constant for a given user?
Can Firebase give manually added objects an unique key?
FirebaseAutomaticScreenReportingEnabled is disabling even my calls
Getting id of the current user from Cloud Functions and Firebase
Firebase Analytics: registering custom parameters in the console
Firebase Passing State(continue to website link) in Password Reset Email and email verification
firebase admin failing to query large items
Firestore document get() performance
Namespaces for Multi tenancy in Cloud Firestore
Firebase cloud messaging rest API spring
Android app not working after published to Play Store
iOS Swift - Firebase custom event logging not working
Firebase dynamic link doesnt work in safari swift

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!