Firestore auth rule to test reference value in list

Question

I'm trying to create a Firestore auth rule that checks the current user against a list of team members in a team document. The members are stored as document references so I've been trying things like this:

match /teams/{document=**} {
    allow read: if path("/users/" + request.auth.uid) in resource.data.members;
}

But when I try and access the team document I get told there is an Auth failure.

Each team member has their own document in /users using their UID as a key. So a user might be /users/12345678 and the teams document might have:

/teams/team1 {
              members: [/users/12345678, ....]
             }

Where the members are Reference types.

So far I've not been able to figure this out as Firestore does not seem to have the concept of a document reference type in it's auth rules.

Any suggestions?

Answer 1

Security rules do have a concept of a reference, and it's represented as a Path type object. When a document reference is read by security rules, you have to treat it like a Path. And that Path will be fully qualified like this:

/databases/$(database)/documents/collection/documentId

Where $(database) comes from your usual top-level database wildcard match.

So, your rule might be implemented like this:

match /teams/{document=**} {
    allow read: if /databases/$(database)/documents/collection/users/$(request.auth.uid) in resource.data.members;
}

Note that in security rules, you can build a path simply by starting with a /, and use $(foo) for interpolating variables as path components.