Moving Firestore security rule to custom function breaks rule

Question

I have a Firestore security rule that check that an user has the proper code to access another document.

service cloud.firestore {
  match /databases/{database}/documents {
    match /Orgs/{orgID} {
      allow read: if get(/databases/$(database)/documents/Users/$(request.auth.uid)).data.OrgCode == resource.data.Code;
    }
  }
}

This works great. However, if I try to move this check into a custom function like so:

service cloud.firestore {
  match /databases/{database}/documents {
    match /Orgs/{orgID} {
      allow read: if isPartOfOrg();
    }
  }
}
function isPartOfOrg(){
  return get(/databases/$(database)/documents/Users/$(request.auth.uid)).data.OrgCode == resource.data.Code;
}

Then I start to get permission errors. I haven't done anything but move the logic into a function, why is this not working?

Answer 1

I figured it out while writing the question. The docs say that functions have access to variables and functions from the scope in which they are defined and not from where they are called.

So, move the function into the match block as so, and everything works again!

service cloud.firestore {
  match /databases/{database}/documents {
    match /Orgs/{orgID} {
      function isPartOfOrg(){
        return get(/databases/$(database)/documents/Users/$(request.auth.uid)).data.OrgCode == resource.data.Code;
      }
      allow read: if isPartOfOrg();
    }
  }
}

Hope this helps others who run into this issue!