I may have some problem with the syntax of the firestore security rules, because I think the logic behind my database structure is correct and also the security rules should be correct.
So the structure is as follows. I have a collection of "users", they are either buyers or sellers (of watches say). And there is a collection of "watches". Inside watches, sellers can create documents which contain details of the watch and also the id of the seller.
A document inside "watches" has a subcollection called "status". Inside "status" there is a single document, this document has a field which is also called "status", its value is either 0 or 1, 0 means it is available (for buying) and 1 means it is reserved by someone. The security rules are: only the creater of a watch document can alter that document and (any) buyer can only change the status if the status was 0.
I thought the following should do the job
service cloud.firestore {
match /databases/{database}/documents {
match /users/{$uid} {
allow read, update: if request.auth.uid == $uid;
}
match /watches/{watchId} {
allow read: if true;
allow update: if request.resource.data.sellerId == request.auth.uid;
match /status/{statusId} {
allow read: if true;
allow update: if request.resource.data.status == 0 && request.auth != null;
}
}
}
}
I did some simulations, but it never allowed me to make changes in the status (I was signed in and the status was 0). Is there something wrong with the code?
