Reputation: 93
Firestore security rules based on request query value
I'm trying to secure requests to a collection to allow any single get, but only to allow list if a specific key is matched.
Database structure is like this:
projects
project1
name: "Project 1 name"
board_id: "board1"
project2
name: "Project 2 name"
board_id: "board2"
boards
board1
board2
The Firestore query I'm making from Vue:
// Only return projects matching the requested board_id
db
.collection("projects")
.where("board_id", "==", this.board_id)
The security rules I'd like to have would be something like this:
match /projects/{project} {
allow get: if true // this works
allow list: if resource.data.board_id == [** the board_id in the query **]
// OR
allow list: if [** the board_id in the query **] != null
I want to do this so you can list the projects in a specific board, but can't just list everything.
Is there a way to access the requested .where() in the security rules or do I need to nest my projects collection inside my boards collection and secure it that way?
Upvotes: 9
Views: 2699
Answers (1)
Reputation: 4908
It really depends on how you want to query data in the future. If you have no requirement to list all of the projects (irrespective of the board), then your current data model is better and can be secured by adding the allowed boards as a map {board_id: true} or (ideally) sub-collection to the /users document.
Current data model
Database
/projects/{project_id}
/boards/{board_id}
/users/{uid}/boardPermissions/{board_id}
Security rules
match /projects/{project} {
allow list: if exists(/databases/$(database)/documents/users/$(request.auth.uid)/boardPermissions/${resource.data.board_id})
Alternative data model
If you want to totally partition your data (which is what I tend to do for many of my projects), then create the following model
Database
/boards/{board_id}/projects/{project_id}
/users/{uid}/boardPermissions/{board_id}
Security rules
match /boards/{board_id}/projects/{project_id} {
allow list: if exists(/databases/$(database)/documents/users/$(request.auth.uid)/boardPermissions/${board_id})
Upvotes: 4
Related Questions
- Firestore rules validate query field value
- Firestore security rules: evaluating incoming requests against other documents in the database
- Firestore Security Rule: Check user input on get query
- Firestore per-field security rule
- Limit access to firestore based on query conditions
- Firestore security rules based on map values
- Firebase Firestore - security rule based on "where" query parameters
- Dynamic Firestore rules?
- Firestore where clause with security rules
- Cloud Firestore: setting security rule based on authentication