Firebase Firestore security rules based on reference data type

2
votes

In Firestore I have a collection of items with an owner.

The owner can be a user, who should be allowed to read his documents.

With a userId you could do like this:

allow read, write: if resource.data.userId == request.auth.uid;

But with an owner reference field there is seemingly no documentation when it comes to security rules.

I tried this security rule:

allow read, write: if resource.data.owner == 'users/$(request.auth.uid)';

and querying like this:

const owner = this.db.collection('/users').doc(auth.uid).ref;

const collection = this.db.collection('/items',
  (ref) => ref.where('owner', '==', owner)
);

but I'm still getting Missing or insufficient permissions.

2
firebasegoogle-cloud-firestorefirebase-security

2 Answers

2
votes

Both these rules work for me in Simulator (Firebase console):

allow read, write: if resource.data.owner == 'users/' + request.auth.uid;

and 

allow read, write: if path(resource.data.owner) == /users/$(request.auth.uid);

But not in the query from my code.

2
votes

References are considered as paths in security rules, so you can compare it with

function checkUser() {
  return request.resource.data.userReference == /databases/$(database)/documents/users/$(request.auth.uid);
}

It's important to use the full path with databases/$(database)/documents in front. In this scenario, I have a collection named users, and each user id is their uid (it looks like you are also doing that)