Unable to match request.auth.id with document id in Firestore rules

2
votes

I am developing an app with Flutter. I have a database on Firestore with the structure : Users/(UserID)/collection/document Here UserID is the unique uid of the user who creates the (UserID) document. The code is used to get user's uid is 

user.uid;

where user is an Instance of FirebaseUser. I am trying to setup the rules such that only when request.auth.uid matches the (UserID) document id then only the user can read/write.

service cloud.firestore {
  match /databases/{database}/documents {
    match /Users/{documentID} {
      allow read, write: if isOwner(documentID);
    }

    function isOwner(documentID){
        return request.auth.uid == documentID;
    }
  }
}

But I am getting error with this

failed: Status{code=PERMISSION_DENIED, description=Missing or insufficient permissions., cause=null}

This is the code performing the query.

class EmployeeList extends StatefulWidget {
  static bool isMale;
  final String userId;
  EmployeeList([this.userId]);
  void setIsMale(bool gen) {
    isMale = gen;
  }

  bool get getIsMale => isMale;

  @override
  State<StatefulWidget> createState() => _EmployeeList();
}

class _EmployeeList extends State<EmployeeList> {
  String employeeName;

  final TextEditingController textEditingController = 
TextEditingController();
  String gender;
  int keyIndex;
  CollectionReference listColRef;
  bool firstTime;
  Firestore db = Firestore.instance;

  @override
  void initState() {
    gender = EmployeeList().getIsMale ? "Male" : "Female";
    listColRef = 
db.collection('Users').document(widget.userId).collection('EmployeeList');
    print(widget.userId);
    super.initState();
  }

 @override
 Widget build(BuildContext context) {
   return Scaffold(
      backgroundColor: Colors.grey[100],
      appBar: AppBar(
         title: Text('Employees'),
      ),
      body: Padding(
        padding: const EdgeInsets.all(5),
        child: StreamBuilder<QuerySnapshot>(
            stream: listColRef.where('Gender', isEqualTo: 
        gender).snapshots(),

This is the structure of the database: https://imgur.com/a/aI6UikO

1
fluttergoogle-cloud-firestorefirebase-security
Please edit the question to show the code the performs the query that doesn't work the way you expect.Doug Stevenson
Are you sure that request uid and your document id are the same? Authentication users and database users are not linked by default using firebase.Augustin R
In addition to the code Doug asked for, we'll probably also want to see the document you're trying to read. A screenshot is typically best for that.Frank van Puffelen
Will it be fine if I link Github repo? Or do you want me to add the code itself?Sam1112
This is the structure of the Database. imgur.com/a/aI6UikOSam1112

1 Answers

1
votes

Your database rules don't match your query. Your query is attempting to find documents under a collection using the pattern /Users/{userId}/EmployeeList. But your rules are only allowing access to documents under /Users/{documentID}. If you want to allow access to documents inside nested subcollections, you will need to make sure the entire path matches. For example:

match /Users/{userId}/EmployeeList/{id} {
  allow read, write: if isOwner(userId);
}