CODEWITHSUNDEEP
javascriptfirebasegoogle-cloud-firestorefirebase-security
Matthew Oxley
Matthew Oxley

Reputation: 31

Firestore: cannot securely query data with a WHERE clause that uses both currentUser.uid and FieldPath.documentId()

firestore.rules

match /databases/{database} {
    match /documents/board/{boardId}/{document=**} {
        allow read: if (resource.data.creatorId == request.auth.uid);

query 1 (works)

this.db
        .collection("board")
        .where("creatorId", "==", app.auth().currentUser.uid).onSnapshot(...)

query 2 (doesnt work, returns FirebaseError: Missing or insufficient permissions)

this.db
        .collection("board")
        .where("creatorId", "==", app.auth().currentUser.uid)
        .where(app.firestore.FieldPath.documentId(), "in", boardIds).onSnapshot(...)

This doesn't make any sense to me. Query 2 is a subset of Query 1 and yet, unlike Query 1, violates the security rules.

Does anyone know why?

Upvotes: 3

Views: 106

Answers (1)

Nibrass H
Nibrass H

Reputation: 2487

Your security rules prevent reading a document if the creatorId of it is not the user making the query.

Query 1 works because the filter follows the rule and will not read documents whose creator is not the current user.

Then, Query 2 has that second clause which means: "I want the documents whose DocID is one of the boardIds array".

The problem might be that the documentID is considered a field of a document.

If one were to apply the second clause alone it will probably crash because userA may try to access a userB document to check if the docID is in the array, which is not allowed.

So, even-though the RESULT of the second query would be a subset of query 1, this doesn't mean (or seems to mean) the QUERY itself is allowed.

Upvotes: 2

Related Questions