Reputation: 13
My website has multiple accounts with different permissions.
I use custom claims inside the Firestore token to give the right access to the user.
So far it has worked perfect with this setup:
The claims for User 1 with access to 1 location looks like this: {"companyLocation": "testLocation1"}
Soon I will have users who can access one or more locations. For example User 2 can access "testLocation2" & "testLocation3" without having access to "testLocation1".
User 2 claims can for example have a seperator (" ¤ ") and look something like this: {"companyLocation": "testLocation2 ¤ testLocation3"}
How would I achieve this with security rules? I tried:
function checkMultipleLocations(){
return request.auth.token.companyLocation.contains('testLocation2');
}
This gives me an error stating:
Invalid function name: contains
In the docs it states you can use in: v in x
(Checks if value v is in list x), but this does not work for lists (does not return true), works only for objects/maps (tried by splitting the user claim string into array, without luck).
Any ideas?
Upvotes: 1
Views: 129
Reputation: 600006
The in
operator works on a list only. The value of this claim {"companyLocation": "testLocation2 ¤ testLocation3"}
is not a list, but a string. So the in
operator won't work here.
For a list of supported operators, see the documentation for the string type in security rules. This doesn't mention a contains
method, but does have a matches
method, which allows you to accomplish this use case.
request.auth.token.companyLocation.matches('.*testLocation2.*')
You could also try to store the claim as an array:
{"companyLocation": ["testLocation2", "testLocation3"]}
If setting a claim like this works, the in
operator should work. I'm saying should here, because recently somebody was having trouble setting claims like this, and I haven't tested it myself.
Upvotes: 1