CODEWITHSUNDEEP
firebasefirebase-authenticationgoogle-cloud-firestore
w--
w--

Reputation: 6697

Configuring rules for Firestore so user only gets records they own

This is a followup to this question
Firestore permissions

I'm trying to set rules on my firestore

service cloud.firestore {
  match /databases/{database}/documents {
    match /analysis/{analysis} {
      allow read, write: if request.auth.uid == resource.data.owner_uid;
    }
  }
}

My goal is
a. When doing a list operation only those documents belonging to a user are returned
b. only documents a user owns can be read or written by that user.

With the above configuration b. is accomplished.
how do I do accomplish a. ?

Upvotes: 9

Views: 3760

Answers (1)

jeben
jeben

Reputation: 605

Remember that firestore rules are not filters, they're a server-side validation of your queries. You should always make your queries match your rules, or else you'll get permission errors.

In your case you already made the rule to enforce reading/listing on user owned documents. Now you simply have to make the corresponding query with the right filters :

const userId = firebase.auth().currentUser.uid

db.collection("analysis").where("owner_uid", "==", userId)

Another thing. With your current rules, your users won't be able to create a new document, only edit an existing one, here are the updated rules to allow that :

allow read: if request.auth.uid == resource.data.owner_uid;

allow write: if request.auth.uid == resource.data.owner_uid
             || request.auth.uid == request.resource.data.owner_uid;

Upvotes: 22

Related Questions