Firestore rules for document field

19
votes

I'm struggling within Firestore to set security rules for a document. With the RTDB is was possible to set rules for a specific object property and I'm trying to do the same with Firestore.

RTDB Code:

"users": {
    ".read": true,
    ".indexOn": ["profile/name"],
    "$uid": {
        ".read": "auth != null",
        ".write":
            "$uid === auth.uid && !data.exists()",
        "profile": {
            "birthday": {
                ".write": "$uid === auth.uid"
            },
            "name": {
                ".write": "$uid === auth.uid"
            },
            "banned": {
                ".write": "root.child('admins').child(auth.uid).exists()"
            }
        }
    }
}

Below the same code in Firestore:

service cloud.firestore {
    match /databases/{database}/documents {
        match /users/ {
            allow read
            match /{$user} {
                allow read: if request.auth.uid != null
                allow write: if request.auth.uid == request.resource.id &&  exists(/databases/$(database)/documents/users/$(request.resource.id)) === false

                match /birthday {
                    allow write: if request.auth.uid == request.resource.id
                }
                match /name {
                    allow write: if request.auth.uid == request.resource.id
                }
                match /banned  {
                    allow write: get(/databases/$(database)/documents/users/$(request.auth.uid)).data.userType > 3
                }

            }
        }
    }
}

When I'm writing security rules for a subcollection it's working fine. But for a document field it's not working. Is this not possible or is there a special path segment in the match reference? The documentation doesn't state anything about this.

2
firebasegoogle-cloud-firestorefirebase-security

2 Answers

15
votes

You can do this by checking the request.resource.data property. As shown in this section of the documentation. You only need to match the document level. You check the field rules with an if condition.

However, you are unable to control read access to individual fields. A user can either read a whole document or not. If you need to store private data, consider adding this to a sub-collection of the user document.

Here is an example

service cloud.firestore {
  match /databases/{database}/documents {
    // Make sure all cities have a positive population and
    // the name is not changed
    match /cities/{city} {
      allow update: if request.resource.data.population > 0
                    && request.resource.data.name == resource.data.name;
    }
  }
}
1
votes

Looks like this is now supported:

service cloud.firestore {
  match /databases/{database}/documents {
    // Allow the user to read data if the document has the 'visibility'
    // field set to 'public'
    match /cities/{city} {
      allow read: if resource.data.visibility == 'public';
    }
  }
}

The resource variable refers to the requested document, and resource.data is a map of all of the fields and values stored in the document.

To give a concrete example, in my case I needed to provide read access to a group only if the requesting user is in the members field (which is an array) of the groups collection. So I did this:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    function isMember(userId) {
      return (userId in resource.data.members);
    }
    match /groups/{group} {
      allow read: if request.auth != null && isMember(request.auth.uid);
    }
    //...
  }
}