I have issue with allowing user to read
data with such rule:
Here I check if authenticated user is either sender or receiver.
Here's message sample:
Here's users collection:
Problem is that such rule does not work. Even with one of two conditions it fails.
It actually doesn't even see the properties fromUser
and toUser
in resource.data
.
But on tests it allows to read:
Can you please tell me where I have mistaken, cause I don't get why I can't access both resource.data.fromUser
and resource.data.toUser
in Firestore rules? (I am using firebase authentication via Google)
CodePudding user response:
If I correctly understand your question and comment, you are facing the limitation that "Rules are not filters".
Your query "must follow the constraints set by your security rules" so it means that it should filter on the fromUser
or on the toUser
fields, which is not the case with:
firestore.collection("messages").where("access", "==", hashId).orderBy("createdAt")
(Query from your comment above)
Note that your simulation in the "Rules Playground" works because you are fetching one document, (by its ID, see field Location
), which follows the constraints set by your security rules
Finally, to make it easier to write your query, I would add in the message
doc a field of type Array that contains both the IDs of the fromUser
and toUser
. This way you can query with array-contains
and also simplify your security rule with the in
operator.