CODEWITHSUNDEEP
androidgoogle-cloud-firestorefirebase-security
colithium
colithium

Reputation: 10327

Firestore permissions; checking if a user is in an array

In Cloud Firestore, I have a collection of documents with an array field containing all of the users that should have read permission on that document. My simplified security rules are:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /collection_name/{document=**} {
      allow read: if request.auth.uid in request.resource.data.listOfIds.toSet();
    }
  }
}

A sample simplified document is:

{
  listOfIds: ["uid1", "uid2"]
}

Using the rules simulator to perform a get, reads work as expected. However, executing a similar query using the Android API returns a permission denied error. I think I'm constraining my query in the same ways the rules are (which is a requirement of Firestore; it doesn't filter out documents that the user can't read for you).

firestoreClient.collection("collection_name")
    .whereArrayContains("listOfIds", firebaseUid)
    .get()
    .addOnCompleteListener(...);

Upvotes: 1

Views: 497

Answers (1)

colithium
colithium

Reputation: 10327

It turns out, Firestore thought the query wasn't properly constrained to the defined read permissions. It was the .toSet() that threw it off. Removing that resulted in the behavior I expected.

Why did I have .toSet() to begin with? I had erroneously thought that converting the array into a set was a requirement to use the in operator. That operator works with lists as well as sets.

Upvotes: 1

Related Questions