I don't know why my security rules aren't working. It would be really helpful if someone can find the problem in this.

I want the user who sent a message in the chat be the only person able to edit or delete it. And the users present in the blocked array in the Chats document not be able to send any messages.

This is what i did:

    match /{document=**}{

        allow read, write : if false;
    }

    match /Chats/{ChatID}{
        allow read, write : if request.auth != null;
    }
    
    match /Chats/{ChatID}/Messages/{MessageID} {
        allow delete : if false;
      allow read: if request.auth != null;
    }
    
    match /Chats/{ChatID}/Messages/{MessageID}{
        allow delete, update : if resource.data.sender == request.auth.uid;
      allow create : if !(request.auth.uid in get(/databases/$(database)/documents/Chats/$(ChatID)).data.blocked);
    }

Both of them doesn't seem to work. Anyone is able to delete the message and also the user is never able to send the message whether or not it's uid is present in the blockList.

UPDATE: This is the document I am trying to delete. This is the code i use to delete the document:

FirebaseFirestore.getInstance().collection("Chats").document(CHAT_ID).collection("Messages").document(MSG_ID).delete();

CodePudding user response：

The reason you can't create messages is:

allow create : if !(request.auth.uid in get(/databases/$(database)/documents/Chats/$(ChatID)).data.blocked);

please change it to this:

allow create: if (request.auth.uid in get(/databases/$(database)/documents/Chats/$(ChatID)).data.blocked) == false;

The reason anyone can delete is:

allow delete, update : if resource.data.sender == request.auth.uid;

please change it to this:

allow delete, update : if (resource.data.sender == request.auth.uid);