Reputation: 2539
I have a flutter application based on cloud_firestore and firebase_auth, I Add user (blue button) by Authentication firebase, and kept the ID in the code so that this user is the administrator, regular users can create an account by application (email and password), What I want is to make sure the administrator is the only one can delete data from the database, while the rest of the users are only allowed to read and write, so I did this:
I changed roles in my Cloud Firestore project to this:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
allow delete : if request.auth.uid == 'psqxVzX6BvYCuWbajhcEK1QGZOo1';
}
}
}
Is this true or not, and how can Firebase be sensitive to uid?
Maybe my question is how to send the uid with the firestore
request.
Thank you in advance
Upvotes: 1
Views: 843
Reputation: 599976
write
rule, that rules allows create, update and delete operations.This means that your allow read, write: if request.auth != null
allows any authenticated user to create, update and delete any document in the database.
If you only want to allow any authenticated user to create or update a document, but only want the user with that specific UID to delete documents, you have to explicitly name those operations:
allow read, create, update: if request.auth != null;
allow delete: if request.auth.uid == 'psqxVzX6BvYCuWbajhcEK1QGZOo1';
For full info, see the documentation on granular operations.
Upvotes: 1