Home > Back-end >  Firebase Security Rules to specific Collection?
Firebase Security Rules to specific Collection?

Time:02-18

I have three collections, Collect 1 and Collection 2 that can only be read by authenticated users. The third Collection is Users which only authenticated users can read, write, update and delete but only the document with their respective UID. The current rules are applied for all the collection. Current security rules are:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read: if request.auth != null;
    }
  }
}

CodePudding user response:

I just want to add some detail or example here. In this rule, user's UID is stored as document ID.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{uid} {
      allow read, write, delete: if request.auth != null && request.auth.uid == uid;
    }
    match /collection1/{document} {
        allow read: if request.auth != null;
    }
    match /collection2/{document} {
        allow read: if request.auth != null;
    }
  }
}

I have done some testing code in local emulator:

firebase.firestore().doc('/users/' user.uid).get().then(() => {
                console.log("user self path granted")
            }).catch(() => console.log("user other path deny"));
            
firebase.firestore().doc('/users/other').get().then(() => {
                console.log("user other path granted")
            }).catch(() => console.log("user other path deny"));
            
firebase.firestore().doc('/collection1/tCa4m3nGNjX4s3i1Uvc7').get().then(() => {
                console.log("collection1 path granted")
            }).catch(() => console.log("collection1 path deny"));
            
firebase.firestore().doc('/collection2/tCa4m3nGNjX4s3i1Uvc7').get().then(() => {
                console.log("collection2 path granted")
            }).catch(() => console.log("collection2 path deny"));
            
firebase.firestore().doc('/collection3/OvGk404uSdMFQAwN1qoA').get().then(() => {
                console.log("collection3 path granted")
            }).catch(() => console.log("collection3 path deny"));

Data structure in Firestore

Output

user self path granted
user other path deny
collection1 path granted
collection2 path granted
collection3 path deny

CodePudding user response:

Only authenticated users can read, write, update and delete but only the document with their respective UID

You don't indicate how is the user's UID linked with the Firestore document ID. There are basically two cases:

1/ The user's UID is the Firestore document ID

service cloud.firestore {
  match /databases/{database}/documents {
    match /collection/{docId} {
      allow read, write: if request.auth != null && request.auth.uid == docId;
    }
  }
}

2/ The user's UID is stored in a field in the document ID (ex: userId field)

service cloud.firestore {
  match /databases/{database}/documents {
    match /collection/{docId} {
      allow read: if request.auth != null && resource.data.userId == userId;
      allow write: if request.auth != null && request.resource.data.userId == userId;
    }     
  }
}

Page link:https//www.codepudding.com/Backend/305471.html

Prev:REACT FIREBASE db._checkNotDeleted is not a function on UPDATE
Next:Null check operator used on a null value - twitter auth
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding