Reputation: 2478
Firestore permissions and rules for querying collections (list) that belong to the logged-in user
I'm building a contact manager where a user has a bunch of "contacts" in their address book. I only want the user who created the contact to be able to query that contact. I wrote a query below that says what I want it to do, but the query does not work and I do not know why.
All contacts are created with an owner_id field that corresponds to the uid of the user that created the contact.
service cloud.firestore {
match /databases/{database}/documents {
match /contacts/{contactId} {
// only allow read for contacts if the current user is the owner
allow read: if request.auth.uid == resource.data.owner_id // <-- this does not work
allow write: if request.auth.uid != null && request.resource.data.owner_id != null;
}
}
}
When I run the query, I get nothing back, and the simulator does not allow me to run queries on list queries for the entire collection, only get for a single document. The query is simply:
db.collections('contacts')
I've also tried limiting using a where clause:
db.collections('contacts').where('owner_id', '==', <hard-coded-owner-id>)
I should note that when I query for a single document, the syntax above does appear to work. It just appears to fail when I query a collection.
So my question is, how does one write a database rule such that I can list all items in the collection while only returning the items that are associated with the logged-in user?
https://firebase.google.com/docs/firestore/security/get-started
Upvotes: 0
Views: 1208
Answers (1)
Reputation: 317477
I would expect your first query to fail because it's essentially trying to access documents that it doesn't have permission to read. Your rules will not implicitly filter the results.
I'd expect your second query to work because it's only accessing documents that are allowed by permissions. However, it will only work when the effective UID as reported by Firebase Authentication is the same as the one you hard coded. That's what you're rule is verifying - that the logged in user is only trying to read documents where they are present in owner_id. If you're working in the console simulator, you will have to turn on Authentication and put the right UID in the form.
Upvotes: 3
Related Questions
- Firestore rules : User access to a collection that contain userId
- Firestore Security Rule for users with their own collection
- Firestore rules to access collection that matches Auth uid
- Firestore rules allow access to docs, but not via collection query
- Can I query a collection as part of a Cloud Firestore security rule?
- Firestore public collection rules
- Firestore Security Rules for collection within a document
- Security Rules for Firestore to allow access to all subcollections based on UID
- View only certain collections by user on Firebase/Firestore
- Firestore Database Rules: Permissions for Queries