Firestore: restricting child/field access with security rules

Question

If I understand correctly [1], in Firebase there is no way to restrict user's access to data they own, nor a way to hide sensitive columns. Is this better in the newly released Firestore? Does it have workarounds?

One alternative I could think of would be to route such requests through a Cloud Function so as to filter as required, instead of allowing direct access. Might that work?

[1] Restricting child/field access with security rules

Answer 1

Firestore (and Firebase) don't really make distinctions about who "owns" data. You can craft rules to implement ownership polices but there's nothing intrinsic that forces this to be the case.

In Firestore rules apply to whole documents so you cannot hide sensitive columns. A typical solution is to have public fields in one document and private fields in a second. You can then write rules to enforce different access to the separate documents.

When writing multiple documents like this, you have a few options. One way is to write the entirety of the record into private half and have a function filter that and write the public part. The downside of this is that there is a delay between when you write the private part and when you can see the updated public part.

Another approach is to use write batches to write to both documents in an atomic manner. Unlike full blown transactions, which require you to be online, write batches can be used while offline, and are appropriate where you need to make an atomic change to two or more documents but you don't expect any other writes to contend. A user updating their own profile would be a great example of a case where write batches work very well.