Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Firestore security rules based on request query value

I'm trying to secure requests to a collection to allow any single get, but only to allow list if a specific key is matched.

Database structure is like this:

projects
  project1
    name: "Project 1 name"
    board_id: "board1"
  project2
    name: "Project 2 name"
    board_id: "board2"

boards
  board1
  board2

The Firestore query I'm making from Vue:

// Only return projects matching the requested board_id

db
  .collection("projects")
  .where("board_id", "==", this.board_id)

The security rules I'd like to have would be something like this:

match /projects/{project} {
  allow get: if true // this works
  allow list: if resource.data.board_id == [** the board_id in the query **]

  // OR

  allow list: if [** the board_id in the query **] != null

I want to do this so you can list the projects in a specific board, but can't just list everything.

Is there a way to access the requested .where() in the security rules or do I need to nest my projects collection inside my boards collection and secure it that way?

like image 972
basil Avatar asked Feb 24 '18 10:02

basil


People also ask

How do I set firestore security rules?

Cloud Firestore provides a rules simulator that you can use to test your ruleset. You can access the simulator from the Rules tab in the Cloud Firestore section of the Firebase console. The rules simulator lets you simulate authenticated and unauthenticated reads, writes, and deletes.

What file should be used for firestore rules firestore rules?

rules // is a file used to define the security rules for your Firestore database. firestore. indexes. json // is a file used to define indexes for you Firestore queries.

What is firestore security rules?

Cloud Firestore Security Rules allow you to control access to documents and collections in your database. The flexible rules syntax allows you to create rules that match anything, from all writes to the entire database to operations on a specific document.


1 Answers

It really depends on how you want to query data in the future. If you have no requirement to list all of the projects (irrespective of the board), then your current data model is better and can be secured by adding the allowed boards as a map {board_id: true} or (ideally) sub-collection to the /users document.

Current data model

Database

/projects/{project_id}
/boards/{board_id}
/users/{uid}/boardPermissions/{board_id}

Security rules

match /projects/{project} {
  allow list: if exists(/databases/$(database)/documents/users/$(request.auth.uid)/boardPermissions/${resource.data.board_id})

Alternative data model

If you want to totally partition your data (which is what I tend to do for many of my projects), then create the following model

Database

/boards/{board_id}/projects/{project_id}
/users/{uid}/boardPermissions/{board_id}

Security rules

match /boards/{board_id}/projects/{project_id} {
  allow list: if exists(/databases/$(database)/documents/users/$(request.auth.uid)/boardPermissions/${board_id})
like image 64
Jason Berryman Avatar answered Nov 15 '22 10:11

Jason Berryman