How to set Firebase rules that allow authenticated users to only read and write their own data?

Question

My database structure is:

users
  david@gmail.com
    records
      ApK2DFpG87NDGYutgAVO
        pulse: 80
      Bryd87NAS20dfDGYtghg
        pulse: 78
  eva@fb.com
    records
      A81hxASDKH38dhaj9321
        pulse: 93
      A82ndasklih38ASD2eda
        pulse: 67

and rules are:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{email} {
      allow create, read, update, delete: if request.auth.token.email == email;
    }
  } 
}

I would like every user (e.g. foo@gmail.com) to be able to read and write data only under that user (users/foo@gmail.com/**).

When I read users/me@gmail.com in the Rules playground (while being authenticated as me@gmail.com), I get "Simulated read allowed", as expected.

However, when I read users/me@gmail.com/records from my app (while being authenticated as me@gmail.com), I get:

FirebaseError: Missing or insufficient permissions.

What am I missing?

By the way, why the Rules playground doesn't allow reading collections (e.g. users/me@gmail.com/records)? It says:

Path must be document-level

Answer 1

You should take advantage of the recursive wildcards of version 2 of the security rules, as follows:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{email}/{document=**} {
      allow create, read, update, delete: if request.auth.token.email == email;
    }
  } 
}

As explained in the doc, it will match documents in any subcollections of the users collection as well as documents in the users collection.

---

By the way, why the Rules playground doesn't allow reading collections

If I am not mistaking, this is because rules are not filters, and therefore you need to exactly specify the document you want to target in the "Rules Playground".