Rules Firestore, get resource from parent?

Question

I'm trying to set my security rules for my app.

I have a Collection that looks like this:

Scores
  |          
  |                  
  |                  
  |
  |___ AutoID______________history
  |     |___value: 22         |__20190506
  |     |___userID: "abc"     |___dateString:20190506
  |___ AutoID                 |___value:22
          |___value: 45
          |___userID: "def"

I thought it was ok by doing that:

match /scores/{docID=**} {
    allow read: if userIsLoggedIn();
    allow create, update: if request.resource.data.userID == request.auth.uid;
    allow delete: if resource.data.userID == request.auth.uid;
}

The score can be reached by the user, but not the Collection "history". I think that the problem comes from resource.data.userID.

The Collection "history" cannot access to resource.data.userID. I would like to access to resource.data.userID from from the parent document.

Is it possible to do that?

Answer 1

If the document field you would like to use isn't in the document being checked for read/write access matched by the rule, you will have to get() the other document (even if it is in a parent path) using its full path so that you can use its field values in your rule. Read more in the documentation about accessing other documents.

It will probably be easier if you don't use a glob wildcard in your rule, and instead call out the subcollection by name, so you can more easily build the path to the parent document using individual wildcard values. Something like this:

match /scores/{scoreId}/history/{id} {
  allow create, update:
    if get(/databases/$(database)/documents/scores/$(scoreId)).data.userID == request.auth.uid;
}

This is not an exact rule, but I hope you can see what I'm doing here in order to formulate your own.