Reputation: 285
Firebase security rules, ensure one "array remove" only, and only to userId
I have notification records where there is a text and a list of users (max 10).
{text: "Beware of the dog", users: [ uid1, uid2, uid3, ... ]}
When a user read/acknowledge the notification, I want to remove him from the list of users who can see the notification (then he won't get any anymore).
For that, when the user press the "hide notification button", he send a request to update the notification record with:
users: FieldValue.arrayRemove(uid)
I want to enfore with security rules that the user:
- Doesn't change other part of the notification record.
- Send its uid and only its uid in the arrayRemove part.
Tried with
allow update: if
request.auth.uid != null
&& request.auth.uid in resource.data.users
&& request.resource.size() == 1
&& request.resource.data.users != null;
- The request.resource.size == 1 doesn't work. Can't figure out why as I have only one field in my request.
- I have no way to ensure the arrayRemove is strictly limited to its uid.
Any hint, help, idea well appreciated.
Upvotes: 9
Views: 960
Answers (2)
Reputation: 445
I had a similar situation and it was quite a brain teaser. This is what did the trick for me:
allow update: if
request.auth.uid != null
&& request.resource.data.diff(resource.data).affectedKeys().hasOnly([data])
&& request.resource.data.users.size() == resource.data.users.size() - 1
&& resource.data.users.removeAll(request.resource.data.users)[0] == request.auth.uid
Specifically:
- The first rule is the one you had - checks for user authentication
- The second rule checks the difference between the new and the old document and makes sure that the only key affected is the one named
data - The third rule makes sure that the new array is exactly 1 item shorter than the old one (so that only 1 item can be removed at a time)
- The fourth rule subtracts the new array (now reduced by 1
uid) from the old one withremoveAll()and returns an array with their difference. In this case, it returns an array which contains only the singleuidthat you chose toarrayRemove(). Then we simply check thatuid- which can only exist at position[0]- and make sure it is equal to theuidof the authenticated user.
Upvotes: 19
Reputation: 599041
I don't think this is possible without a loop, which doesn't exist in security rules. Well: if you know all users, you might be able to enumerate all options, essentially unfolding the impossible loop. But even if this is possible in security rules, the rules are going to be incredibly verbose.
I'd recommend creating a subcollection where each UID is stored in a separate document. In that subcollection you can then implement your requirement by only allowing the user to only delete their own document.
Upvotes: 1
Related Questions
- Firestore security rules - Update array field - Allow only push (arrayUnion)
- Firestore security rules: check a condition for every value in an array
- Firestore rule to only add/remove one item of array
- How Can I Create a rule in firestore security rules for each item in my array
- How To Detect Array Entry Deletion Request In Firestore Rules
- How to set Firestore security rules where an array contains a specific value
- Firestore rules: Check which array element is removed
- Firestore security rules: check if array contains strings different from user's ID
- Cloud Firestore Security Rules for array operations
- Firestore: How to setup array based security rules?