Menu
As for security rules of Firebase Realtime Database, both public and private data can exist in the same tree using such as the following rule.
However, when using Firestore, it doesn't seem to enable us to do the same because the chuck of data we can retrieve is only under collection or document. When public and private data is defined in the same document and getting data w/ collection/document, we'd get error of insufficient permissions as for private data if we are not the owner.
When using RTDB, we can get data of 'users/{userId}/publicInfo' because we don't have any idea of collection/document.
Are there any way to do this of RTDB with Firestore? Otherwise, we should have public/private collection separately?
// rule of Firebase Realtime Database
"users": {
"$user_id": {
".read": "auth.uid === $user_id",
".write": "auth.uid === $user_id",
"private": {
".read": "auth.uid === $user_id" // --- private data
}
"public": {
".read": "auth !== null"; // --- public data
}
}
}
// Firestore
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
match /{private=**} {
allow read, write: if request.auth == userId;
}
match /{public=**} {
allow read, write: if request.auth != null;
}
}
}
}
495
Firestore offers robust access management and authentication through two different methods, depending on the client libraries you use. For mobile and web client libraries, use Firebase Authentication and Firestore Security Rules to handle serverless authentication, authorization, and data validation.
rules // is a file used to define the security rules for your Firestore database. firestore. indexes. json // is a file used to define indexes for you Firestore queries.
To access your rules from the Firebase console, select your project, then in the left-hand navigation panel, click Realtime Database. Click Rules once you're in the correct database or storage bucket. To access your rules from the Firebase CLI, go to the rules file noted in your firebase. json file.
So you can't have separate security rules for separate parts of a document. You can either read the entire document, or you can't.
That said, if you wanted to give your userID document a "public" and "private" subcollection that contained documents that were public and private, that's something you can totally do, just not in the way you've currently set up your security rules.
The match /{private=**} bit as you've written it doesn't mean, "Match any subcollection that's called 'private'". It means, "Match any subcollection, no matter what, and then assign it to a variable called private". The "Recursive matching with wildcards" section of the docs covers this in more detail.
Also, you need to reference request.auth.uid to get the user's ID.
So, you probably want something more like this:
// Firestore
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
// You'll probably want to add security rules around the user document
// itself. For now, though, let's look at our subcollections:
match /private/{anything=**} {
// Only the user can read documents in their private collection
allow read, write: if request.auth.uid == userId;
}
match /public/{anything=**} {
// Anybody can read documents here, as long as they're signed in
allow read, write: if request.auth != null;
}
}
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
