Reputation: 632
User to access only his/her document in Firestore
I'm struggling by setting the firestore rules.
As per the screenshot, I have collection for the user with dynamic document IDs.
I'm trying to set a rule for the user to access only his/her document.
FbId is facebook id (since it is the authentication way in my app)
userId is firebase id (not sure if it is important to save it or not)
Here is my current rule:
match /users/{document=**} { allow read, write: if normalUser(); } function normalUser() { return request.auth.token.firebase.sign_in_provider == "facebook.com" && request.auth.uid != null; }
This rule gives access to the authenticated user for the whole collection.
How can I set this rule? If there is anything I need to change in the structure?
Update: I don't want to change the documentid for the user collection to match userid because I have another collection where the user could have multiple documents; so this solution won't fit everything.
Thanks
Upvotes: 1
Views: 1338
Answers (2)
Reputation: 632
My get method from the app was using facebook id in the query that is why it wasn't working.
The rule I'm using right now:
match /users/{userId} {
allow update: if request.auth.uid == resource.data.userId;
}
Thanks
Upvotes: 6
Reputation: 317467
It will be far easier for you to use the Firebase Authentication UID of the user as the ID of the document. The Facebook UID is not going to be available in security rules.
If you use the Firebase UID, you can then write rules that look like the ones in the documentation for user-based security. Click through and read where it says "Another common pattern is to make sure users can only read and write their own data". This is probably what you want to do.
service cloud.firestore {
match /databases/{database}/documents {
// Make sure the uid of the requesting user matches name of the user
// document. The wildcard expression {userId} makes the userId variable
// available in rules.
match /users/{userId} {
allow read, update, delete: if request.auth.uid == userId;
allow create: if request.auth.uid != null;
}
}
}
Upvotes: 0
Related Questions
- How to allow firebase user to only access documents that they created
- Security Rules for Cloud Firestore - User access only their own docs
- How to use Firestore Security Rules to let users only access their own resources
- Manage access to documents on per-user basis for Firebase Firestore
- FireStore Rules : Read/Write user own document
- Firestore security rules: allow access to one specific user
- Allow User Read, Write Own Document Firestore
- Firebase rules to allow users to access only a specific document (without any Authentication)
- Firestore security rules allow user access to their data
- How to restrict users from reading data from Firestore documents?