Multi-permission Firestore security rules

Question

My website has multiple accounts with different permissions.

I use custom claims inside the Firestore token to give the right access to the user.

So far it has worked perfect with this setup:

The claims for User 1 with access to 1 location looks like this: {"companyLocation": "testLocation1"}

Soon I will have users who can access one or more locations. For example User 2 can access "testLocation2" & "testLocation3" without having access to "testLocation1".

User 2 claims can for example have a seperator (" ¤ ") and look something like this: {"companyLocation": "testLocation2 ¤ testLocation3"}

How would I achieve this with security rules? I tried:

function checkMultipleLocations(){
  return request.auth.token.companyLocation.contains('testLocation2');
}

This gives me an error stating:

Invalid function name: contains

In the docs it states you can use in: v in x (Checks if value v is in list x), but this does not work for lists (does not return true), works only for objects/maps (tried by splitting the user claim string into array, without luck).

Any ideas?

Answer 1

The in operator works on a list only. The value of this claim {"companyLocation": "testLocation2 ¤ testLocation3"} is not a list, but a string. So the in operator won't work here.

---

For a list of supported operators, see the documentation for the string type in security rules. This doesn't mention a contains method, but does have a matches method, which allows you to accomplish this use case.

request.auth.token.companyLocation.matches('.*testLocation2.*')

---

You could also try to store the claim as an array:

{"companyLocation": ["testLocation2", "testLocation3"]}

If setting a claim like this works, the in operator should work. I'm saying should here, because recently somebody was having trouble setting claims like this, and I haven't tested it myself.