Reputation: 935
Firestore Security: rules to retrieve list of the data using db.collection and where clause
I am trying to secure the orders data to view only by store owners or/and buyers. The following are my retrieve queries with filters. The ownerId, userId, or uid across all the collections are unique and matching for a particular user or store owner.
- Retrieve all orders if the user owns the orders.
getOrders(userId): Observable<any> {
return this.db
.collection('orders', ref =>
ref.where('userId', '==', userId).orderBy('timestamp', 'desc').limit(10)
)
.valueChanges();
}
getNextPageOrders(userId, last): Observable<any> {
return this.db
.collection('orders', ref =>
ref.where('userId', '==', userId).orderBy('timestamp', 'desc').startAfter(last).limit(10)
)
.valueChanges();
}
- Retrieve all orders if orders are for an authorized store.
getMySells(storeId): Observable<any> {
return this.db
.collection('orders', ref =>
ref.where('store.id', '==', storeId).orderBy('timestamp', 'desc').limit(10)
)
.valueChanges();
}
A document of an orders collection has at least the following fields:
{
id: "xyz",
userId: "a",
store: {
id: "b",
ownerId: "c"
}
},
{
id: "pqr",
userId: "a",
store: {
id: "e",
ownerId: "f"
}
}
And a document of a stores collection has at least the following fields:
{
id: "b",
ownerId: "c",
},
{
id: "e",
ownerId: "f",
}
Here, the order owner (a) should able to view two orders, whereas, the store owners (c or f) should see only one order from (a).
I am trying to write a rule like, this doesn't work:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isOrderOwner(data){
return data && request.auth.uid == data.userId;
}
function isStoreOwner(data){
return data && (get(/databases/$(database)/documents/stores/$(data.store.id)).data.ownerId ==
request.auth.uid);
}
match /orders/{order=**} {
allow read: if request.auth != null && (isOrderOwner(request.data) ||
isStoreOwner(request.data));
}
}
}
Appreciate any suggestions or help!
Upvotes: 0
Views: 50
Answers (1)
Reputation: 599601
Rules are not filters
Then you perform a query on the database, your rules are checked to see if the query is allowed. If not, the query is rejected. The rules don't filter the data in any way, but merely ensure that the access is allowed.
So if you want to securely query data, you'll have to have the relevant condition both in your query code (to perform the actual filtering) and in your security rules (to ensure only that filter is allowed).
So in your second snippet:
ref.where('store.id', '==', storeId)
.where('userId', '==', firebase.auth().currentUser.uid)
Upvotes: 1
Related Questions
- Disable querying collection in Firebase Cloud Firestore with rules
- Firebase Firestore only allow user to query a collection if there is a filter
- Getting document data from collections - with firestore security rules
- Can I query a collection as part of a Cloud Firestore security rule?
- Firestore Security Rules for Query with Array Contains
- Firebase Firestore - security rule based on "where" query parameters
- Firestore Where Statement with Rules?
- Firestore permissions and rules for querying collections (list) that belong to the logged-in user
- Firestore where clause with security rules
- Firebase Firestore - Iterate collection with restricted security rules