Reputation: 31345
Firestore security rules to allow users to query for a single document
I have an email collection where any user (public) can add a new document with his email.
docID: {
email: '[email protected]'
}
So right now my security rules for the email collection is:
match /email/{documentID} {
allow read: if request.auth.token.admin == true;
allow create: if true;
}
Because I don't want users being able to read other users' emails.
But I want the client code to able to query for the user's own email, in order to avoid duplicates in my DB. So I want my client code to able to do this:
const querySnapshot = await
props.firebase.firestore().collection('email').where('email', '==', email).get();
QUESTION
How should I write my security rules to achieve that behavior?
I don't want them to be able to query the full email collection.
Upvotes: 0
Views: 42
Answers (1)
Reputation: 317392
I don't think this is possible. Consider instead writing a Cloud Function that takes the email address as input, queries the email collection for it, then returns a boolean to the client indicating if it was present.
Note that this allows anyone to effectively query for any email address, not just "their own" (however you define that ownership).
Upvotes: 2
Related Questions
- Firestore security rules - can I query for a document with specific fields?
- Firestore Security Rule for allowing only one document
- Firestore security rules for specific document
- Firebase rules to allow users to access only a specific document (without any Authentication)
- Limit access to firestore based on query conditions
- Firestore retrieve multiple documents security rules
- Query Single Document Based on Single Field Firestore
- Firestore Access Rules that Rely on a Document Reference
- Firestore security rules based on request query value
- Firestore Database Rules: Permissions for Queries