I have the following rules for a Firestore database:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{user} {
      allow create, update: if request.auth != null;
      allow read, delete, list: if request.auth.token.email == resource.data.email;
    }
  }
}

In my app I can read the data by using getDocs(), but even though the same security is on the delete function, the following does not work:

const removeUser = async(number) => {
  console.log(number);
  console.log(auth.currentUser?.email || "No User");
  const usersRef = collection(db, 'users');
  const qU = query(usersRef, where('number', '==', number));
  const usersQuerySnapshot = await getDocs(qU);

  console.log(usersQuerySnapshot.docs.map(d => d.data().email);

  usersQuerySnapshot.forEach((user) => {
    deleteDoc(doc);
  });
};

After some debugging, I know that deleting the deleteDoc() lines still gives me an insufficient permissions error.

This function is called from another function, update(). This function also calls a getUsersOfTeacher() (a teacher has its own users) which uses the same code as removeUser() but without the deleting part. This function works with no errors.

Does anyone know what's going on here?

CodePudding user response：

Firebase's security rules do not filter the data. Instead they merely ensure that the code doesn't request more data than it's authorized for.

Since your rules require that the user's email address is in the email field of the document, your query must do the same. So something like:

query(
  usersRef, 
  where('number', '==', number),
  where('email', '==', auth.currentUser?.email) //