Firestore security rules, nested field

1
votes

Our database structure looks like that:

trips
   12345
      toArea
         radius: 150
         name: "citycenter"
   54321
      toArea
         radius: 250
         name: "main street"

We tried to create some rules for read from document:

match /chats/{trip} {
    match /messages/{message} {
       allow read, write: if get(/databases/$(database)/documents/trips/$(trip)).data.toArea != null
    }
}

It's works fine

but next rules doesn't works:

allow read, write: if get(/databases/$(database)/documents/trips/$(trip)).data.toArea != null
allow read, write: if get(/databases/$(database)/documents/trips/$(trip)).data.toArea.radius != null
allow read, write: if get(/databases/$(database)/documents/trips/$(trip)).data.toArea.radius == null
allow read, write: if get(/databases/$(database)/documents/trips/$(trip)).data.toArea["radius"] == null
allow read, write: if get(/databases/$(database)/documents/trips/$(trip)).data.toArea["radius"] != null
allow read, write: if get(/databases/$(database)/documents/trips/$(trip)).data["toArea.radius"] == null
allow read, write: if get(/databases/$(database)/documents/trips/$(trip)).data["toArea.radius"] != null

I really don't understand what wrong with it, how could two opposite rules (==null / != null) doesn't work. How could we manage with fields toArea.radius in rules?

1
firebase-securitygoogle-cloud-firestore
try .data.toArea.data.radius - Hareesh
We are currently having an issue with nested properties in rules, this is almost definitely not your fault. We're working on rolling out a fix as fast as we can, thanks for your patience! - Sam Stern
would it be .data.field.data consistently? - dubace

1 Answers

2
votes

EDIT (12/18/17): These are both now fixed, so this should Just Work™.

As @hatboysam mentioned, you're currently hitting two bugs that we're working quickly to fix:

  1. get().data only works if there's a reference to resource.data or request.resource.data somewhere in your rules (we used to support get() returning the resource without using data, but this ended up being problematic so it was changed right before release).
  2. Nested properties (e.g. toArea.radius) are broken.

1 is easy to work around:

match /chats/{trip} {
    match /messages/{message} {
       allow read, write: if get(/databases/$(database)/documents/trips/$(trip)).data.toArea != null
    }
}
match /bogusPathThatWillNeverMatch {
  allow read: if resource.data != null; // should never be true
}

Both 1 and 2 will be fixed shortly, so stay tuned for resolution.