Reputation: 1088
Firebase Firestore security rules based on reference data type
In Firestore I have a collection of items with an owner.
The owner can be a user, who should be allowed to read his documents.
With a userId you could do like this:
allow read, write: if resource.data.userId == request.auth.uid;
But with an owner reference field there is seemingly no documentation when it comes to security rules.
I tried this security rule:
allow read, write: if resource.data.owner == 'users/$(request.auth.uid)';
and querying like this:
const owner = this.db.collection('/users').doc(auth.uid).ref;
const collection = this.db.collection('/items',
(ref) => ref.where('owner', '==', owner)
);
but I'm still getting Missing or insufficient permissions.
Upvotes: 2
Views: 1416
Answers (2)
Reputation: 1112
References are considered as paths in security rules, so you can compare it with
function checkUser() {
return request.resource.data.userReference == /databases/$(database)/documents/users/$(request.auth.uid);
}
It's important to use the full path with databases/$(database)/documents in front. In this scenario, I have a collection named users, and each user id is their uid (it looks like you are also doing that)
Upvotes: 3
Reputation: 121
Both these rules work for me in Simulator (Firebase console):
allow read, write: if resource.data.owner == 'users/' + request.auth.uid;
and
allow read, write: if path(resource.data.owner) == /users/$(request.auth.uid);
But not in the query from my code.
Upvotes: 2
Related Questions
- Firebase Storage rules that query data from Firestore
- Firestore Rules
- Firestore security rules with reference fields
- Firebase security rules to an specific field
- Firestore per-field security rule
- Firestore security rules based on map values
- Firestore rules - securing data by field
- Firestore security rules based on request query value
- Using the reference data type in Firestore Rules
- Firestore rules on object data type