How users can only see their own data in Cloud Firestore?

Question

I'm building an app with Kotlin. In the app, the user can sign up and log in. After the user log in, the user adds some text and pictures, and these data is successfully added to the firebase cloud store and displayed in the app as a list. However, this list can be accessed by anyone registered on the app.

What I want to do is how users can only see their own data. So I don't want users to see each other's data. I just want every user to see their own added data. I think that I need to change Firebase Cloud Strore rules and I think userId must be equal to documentId to make it. But How can I do it ?

I'm new about this, Thank you !

Cloud Firestore Rules ;

service cloud.firestore {
  match /databases/{database}/documents {
    // Allow only authenticated content owners access
    match /Notes/{userId}/{documents=**} {
      allow read, write: if request.auth != null && request.auth.uid ==userId
    }
  }
}

and I save useremail, noteTitle ...ect. to the database as I shared ;

val noteMapElse = hashMapOf<String, Any>()

            noteMapElse.put("userEmail", auth.currentUser!!.email.toString())
            noteMapElse.put("noteTitle", titleText.text.toString())
            noteMapElse.put("yourNote", noteText.text.toString())
            noteMapElse.put("date", Timestamp.now())



            //UUID -> Image Name

            val uuid = UUID.randomUUID()
            val imageName = "$uuid.jpg"

            val storage = FirebaseStorage.getInstance()
            val reference = storage.reference
            val imagesReference = reference.child("images").child(imageName)

            imagesReference.putFile(selectedPicture!!).addOnSuccessListener { taskSnapshot ->

                // take the picture link to save the database

                val uploadedPictureReference =
                    FirebaseStorage.getInstance().reference.child("images").child(imageName)
                uploadedPictureReference.downloadUrl.addOnSuccessListener { uri ->
                    val downloadUrl = uri.toString()
                    println(downloadUrl)

                    noteMapElse.put("downloadUrl", downloadUrl)

                    db.collection("Notes").add(noteMapElse).addOnCompleteListener { task ->
                        if (task.isComplete && task.isSuccessful) {

                            finish()
                        }


                    }.addOnFailureListener { exception ->

                        Toast.makeText(
                            applicationContext,
                            exception.localizedMessage?.toString(),
                            Toast.LENGTH_LONG
                        ).show()

                    }

                }


            }


        }

This is also my sign in and sign up activity;

fun signIn (view: View) {

        auth.signInWithEmailAndPassword(mailText.text.toString(), passwordText.text.toString())
            .addOnCompleteListener { task ->

                if (task.isSuccessful) {

                    Toast.makeText(applicationContext, "Welcome : ${auth.currentUser?.email.toString()}",
                        Toast.LENGTH_LONG).show()
                    val intent = Intent(applicationContext, ListViewActivity::class.java)
                    startActivity(intent)
                    finish()
                }

            }.addOnFailureListener { exception ->
                Toast.makeText(
                    applicationContext,
                    exception.localizedMessage?.toString(),
                    Toast.LENGTH_LONG
                ).show()

            }

    }


    fun signUp (view: View) {

        val email = mailText.text.toString()
        val password = passwordText.text.toString()


        auth.createUserWithEmailAndPassword(email,password).addOnCompleteListener {

            if (it.isSuccessful) {

                Toast.makeText(applicationContext, "Your Account Has Been Created Successfully", Toast.LENGTH_LONG).show()

                val intent = Intent(applicationContext, ListViewActivity::class.java)
                startActivity(intent)

                finish()

            }

        }.addOnFailureListener { exception ->

            if (exception != null ) {

                Toast.makeText(applicationContext,exception.localizedMessage.toString(),Toast.LENGTH_LONG).show()

            }

        }


    }

}

Answer 1

To ensure a user can see only their own notes, you'll need to have some way to identify for each document to which user it belongs. There are two common ways to do this:

1. Store all notes for a specific user in a path that contains their own UID.
2. Store the UID for the owner in each document.

From the screenshot it seems you have the first case, as the UID seems to be used as the document ID. In that case you can secure it with:

service cloud.firestore {
  match /databases/{database}/documents {
    // Allow public read access, but only content owners can write
    match /some_collection/{documents=**} {
      // Allow reads
      // Allow creation if the current user owns the new document
      allow read, create: if request.auth.uid == request.resource.data.author_uid;
      // Allow updates by the owner, and prevent change of ownership
      allow update: if request.auth.uid == request.resource.data.author_uid
                    && request.auth.uid == resource.data.author_uid;
      // Allow deletion if the current user owns the existing document
      allow delete: if request.auth.uid == resource.data.author_uid;
    }
  }
}

This example comes straight from the documentation on securing content-owner only access, so I recommend reading that for more details.