So I have a collection that I want to query against, but I do not have permissions to view all the documents. Can I make a query that will not fail if only one of the documents I am querying for is blocked to me? Or do I need to do preprocessing to clean the articleIds first?
firebase
.firestore()
.collection("articles")
.where(firebase.firestore.FieldPath.documentId(), "in", articleIds)
.get()
.then((results) =>
results.docs
.map((result) => console.log(result.data()))
)
So if articleIds = [1, 2, 3, 4, 5], then everything is good, because I have permission to view those articles, and the call succeeds. However, if articleIds=[1, 2, 3, 4, 100], then the call fails, because I do not have permission to view article 100.
So is there a way to make this call succeed even if I lack permissions?
CodePudding user response:
You don't specify the security rules that grant you access to documents 1-5 and deny you access to 100. (The docs) say you need to structure your query so that it matches the security rules. That implies that even if you do have access to documents [1, 2, 3, 4, 5] that the query should fail, unless your security rule depends on that id.
The query fails even if the current user actually is the author of every story document. The reason for this behavior is that when Cloud Firestore applies your security rules, it evaluates the query against its potential result set, not against the actual properties of documents in your database. If a query could potentially include documents that violate your security rules, the query will fail.
db.collection("stories").where("author", "==", user.uid).get()
This would succeed because the security rule grants read access to a story based on the author, and that is part of your query. Another example on the page:
match /mydocuments/{doc} {
allow read: if resource.data.x > 5;
}
This query fails because it can potentially return documents with x <= 5, even if ids 1 and 3 do not exist:
db.collection("mydocuments").where("x", "in", [1, 3, 6, 42, 99]).get()
But this succeeds because all the documents queried pass the rule:
db.collection("mydocuments").where("x", "in", [6, 42, 99, 105, 200]).get()