Home > database >  Control access to Firestore documents
Control access to Firestore documents

Time:04-08

I am creating a mock app which allows users to upload "reports". These reports are stamped with a "creatorId", which is the uid of the user who creates the report.

I'm trying to use firebase queries to only request documents whose creatorId matches the currently logged in user's uid, to prevent requests for another user's documents.

I just can't seem to get it to work. I can make it work for collections easy peasy, but can't figure it out for individual docs.

const ref = projectFirestore.collection(collection).doc(id)

This is part of my useDocument hook, to which I pass "reports" and the id in question just fine, but this allows me to access the doc even if it has a creatorId which doesn't match the currently logged in user.

My query is:

["creatorId", "==", user.uid]

Which I also pass into the hook as a prop, but I cannot for the life of me figure where to put it - the query seems to be completely ignored whatever I do, and so the doc remains open to any and all. I think I am going mad.

CodePudding user response:

Client app code can never be trusted to do the right thing, since it's running on a machine you don't control. If you want to restrict access to documents, you will need to learn about security rules. In particular, you will want to study how to limit access to documents using the currently signed in user's UID.

  • Related