I have issue with allowing user to read data with such rule:

Here I check if authenticated user is either sender or receiver.

Here's message sample:

Here's users collection:

Problem is that such rule does not work. Even with one of two conditions it fails.

It actually doesn't even see the properties fromUser and toUser in resource.data.

But on tests it allows to read:

Can you please tell me where I have mistaken, cause I don't get why I can't access both resource.data.fromUser and resource.data.toUser in Firestore rules? (I am using firebase authentication via Google)

CodePudding user response：

If I correctly understand your question and comment, you are facing the limitation that "Rules are not filters".

Your query "must follow the constraints set by your security rules" so it means that it should filter on the fromUser or on the toUser fields, which is not the case with:

firestore.collection("messages").where("access", "==", hashId).orderBy("createdAt")

(Query from your comment above)

---

Note that your simulation in the "Rules Playground" works because you are fetching one document, (by its ID, see field Location), which follows the constraints set by your security rules

---

Finally, to make it easier to write your query, I would add in the message doc a field of type Array that contains both the IDs of the fromUser and toUser. This way you can query with array-contains and also simplify your security rule with the in operator.