I am developing the Firestore security rules for medical history app. I want staff and patients to be stored in separate collections to ensure HIPAA compliance (eg human resources or call center staff shouldn't be able to see clinical records). A patient belongs to a group which determines what products they have available to them. Patients shouldn't be able to see products from other groups. Staff need to have a privilege to see any products.
Data looks like this:
patient : {
groupId: 1
}
product : {
groupId: 1
}
staff: {
canReadProducts: true
}
This rule works to allow a patient to read a product document:
match /products/{productId} {
allow read: if get(.../patients/$(request.auth.uid))
.data.groupId == resource.data.groupId
}
This rule works to allow a staff member to read a product document:
match /products/{productId} {
allow read: if get(.../staff/$(request.auth.uid))
.data.canReadProducts == true;
}
This rule does not work:
match /products/{productId} {
allow read: if get(.../patients/$(request.auth.uid))
.data.groupId == resource.data.groupId
|| get(.../staff/$(request.auth.uid))
.data.canReadProducts == true;
}
These are simplified for the sake of this question, I am testing that a user is authenticated and also using .exists() calls to check if documents exist. Read the "..." in the document paths to read "/database/$(databases)/documents".
My questions is: How can I get multiple .get() calls to work in this senario?
