Home > Net >  How to match a Firestore rule on the database name
How to match a Firestore rule on the database name

Time:08-30

I have rules in my database to restrict users to only access data that belongs to their own account id. For debugging purposes, I would like to give all users of our own company access to all other user data.

Something like this works:

 match /databases/{database}/documents {

    function matchesUserAccountId(accountId) {
      return request.auth.token.account_id == accountId ||
      request.auth.token.account_id == "our_own_account_id"
    }

    match /some_collection/{accountId}/{document=**} {
      allow read: if matchesUserAccountId(accountId)
    }
}

But this would obviously be a bad idea for a production database. So I would like to limit this to only our development database.

However, the following doesn't seem to work:

 match /databases/{database}/documents {

    function matchesUserAccountId(accountId) {
      return request.auth.token.account_id == accountId ||
      (database == "our_dev_project_id" && request.auth.token.account_id == "our_own_account_id")
    }

    match /some_collection/{accountId}/{document=**} {
      allow read: if matchesUserAccountId(accountId)
    }
}

I'm not sure why the database variable wouldn't match with the project id. I can't seem to find any info on what it might be instead. I initialize Firebase with:

databaseURL: `https://${process.env.FIREBASE_PROJECT_ID}.firebaseio.com`,

So FIREBASE_PROJECT_ID is what I'm trying to match with. Should I use something else maybe?

CodePudding user response:

Each Firebase project can have only 1 Firestore instance at the moment and the value of {database} wildcard is (default). You cannot get the project ID in security rules but a workaround would be to store the project ID in a document that no one else can update and read that in the rules using get() function.

Custom Claims might be useful as well. You can set a claim "role" that'll be set in dev project only. So the following rule will pass in that project only:

allow read: if request.auth.uid == userId || hasAdminRoleClaim(); 

But you'll have to ensure no one can create a user with that role in production project.

  • Related