CODEWITHSUNDEEP
firebasegoogle-cloud-firestorefirebase-security
David Haddad
David Haddad

Reputation: 3946

Firebase security rules syntax with arrays/list property

Within a Firebase Firestore collection with path 'organizations' each document contains a list of string userID's of users who can update or delete that document.

export interface Organization{
  name?: string,
  owners: string[]
}

I would like to create a Firebase security rule that ensures that only a logged in user with a uid that is in this list can edit or delete the object. Unsure of the appropriate syntax.

service cloud.firestore {
  match /databases/{database}/documents {
    match /organizations/{organization} {
      allow read: if true;
      allow create: if request.auth != null;

      /// What should be the syntax here?
      allow update, delete: if request.auth != null && (request.auth.uid in resource.data.owners); // <--------- What should be the syntax for this line?

    }

Upvotes: 1

Views: 614

Answers (1)

David Haddad
David Haddad

Reputation: 3946

Ok, answering my own question here in case it's useful for anyone else.

It looks like the 'in' syntax above actually works even-though it was a complete guess and I wasn't able to find any documentation for it in the firebase security roles documentation.

Final code:

service cloud.firestore {
  match /databases/{database}/documents {
    match /organizations/{organization} {
      allow read: if true;
      allow create: if request.auth != null;
      allow update, delete: if (request.auth != null) && (request.auth.uid in resource.data.owners); 
    }

Upvotes: 2

Related Questions