Unable to match request.auth.id with document id in Firestore rules

2
votes

I am developing an app with Flutter. I have a database on Firestore with the structure : Users/(UserID)/collection/document Here UserID is the unique uid of the user who creates the (UserID) document. The code is used to get user's uid is 

user.uid;

where user is an Instance of FirebaseUser. I am trying to setup the rules such that only when request.auth.uid matches the (UserID) document id then only the user can read/write.

service cloud.firestore {
  match /databases/{database}/documents {
    match /Users/{documentID} {
      allow read, write: if isOwner(documentID);
    }

    function isOwner(documentID){
        return request.auth.uid == documentID;
    }
  }
}

But I am getting error with this

failed: Status{code=PERMISSION_DENIED, description=Missing or insufficient permissions., cause=null}

This is the code performing the query.

class EmployeeList extends StatefulWidget {
  static bool isMale;
  final String userId;
  EmployeeList([this.userId]);
  void setIsMale(bool gen) {
    isMale = gen;
  }

  bool get getIsMale => isMale;

  @override
  State<StatefulWidget> createState() => _EmployeeList();
}

class _EmployeeList extends State<EmployeeList> {
  String employeeName;

  final TextEditingController textEditingController = 
TextEditingController();
  String gender;
  int keyIndex;
  CollectionReference listColRef;
  bool firstTime;
  Firestore db = Firestore.instance;

  @override
  void initState() {
    gender = EmployeeList().getIsMale ? "Male" : "Female";
    listColRef = 
db.collection('Users').document(widget.userId).collection('EmployeeList');
    print(widget.userId);
    super.initState();
  }

 @override
 Widget build(BuildContext context) {
   return Scaffold(
      backgroundColor: Colors.grey[100],
      appBar: AppBar(
         title: Text('Employees'),
      ),
      body: Padding(
        padding: const EdgeInsets.all(5),
        child: StreamBuilder<QuerySnapshot>(
            stream: listColRef.where('Gender', isEqualTo: 
        gender).snapshots(),

This is the structure of the database: https://imgur.com/a/aI6UikO

1
fluttergoogle-cloud-firestorefirebase-security
Please edit the question to show the code the performs the query that doesn't work the way you expect. - Doug Stevenson
Are you sure that request uid and your document id are the same? Authentication users and database users are not linked by default using firebase. - Augustin R
In addition to the code Doug asked for, we'll probably also want to see the document you're trying to read. A screenshot is typically best for that. - Frank van Puffelen
Will it be fine if I link Github repo? Or do you want me to add the code itself? - Sam1112
This is the structure of the Database. imgur.com/a/aI6UikO - Sam1112

1 Answers

1
votes

Your database rules don't match your query. Your query is attempting to find documents under a collection using the pattern /Users/{userId}/EmployeeList. But your rules are only allowing access to documents under /Users/{documentID}. If you want to allow access to documents inside nested subcollections, you will need to make sure the entire path matches. For example:

match /Users/{userId}/EmployeeList/{id} {
  allow read, write: if isOwner(userId);
}