Firebase Rules: Problem with role based authentication in groups and .where()

0
votes

I'm trying to secure an app in which users can manage their bands. The users can be part of multiple bands and therefore can have different roles depending on which band they are in. The roles are stored in a Map Field in the Band document.

I currently have the following firebase/firestore rules setup:

service cloud.firestore {
match /databases/{database}/documents {
    function isSignedIn() {
        return request.auth != null;
    }

    match /bands/{bandID}{
        function isBandAdmin(userID){ 
            // Determine if user is a band admin
            return get(/databases/$(database)/documents/bands/$(bandID)).data.members[userID].role == 'Admin';
        }

        allow read, update, create: if isSignedIn() && isBandAdmin(request.auth.uid);

        // Rules for a band's concerts
        match /events/{event}{
            allow read, update, create: if isSignedIn() && (isBandAdmin(request.auth.uid));
        }
    }
}

Now this works perfectly if i perform a get request in the simulator provided by the firebase console. But in my project i'm trying to perform the following request:

database.collection("bands").where("name" ,"==", "AC/DC").get().then((docs) => {...});

This gives me a permission error. How can i make this work?

PS: I already posted a similar question but this is an important update.

1
javascriptfirebasegoogle-cloud-firestorefirebase-security
It seems the user is either not signed in, or is not an admin. Given the information you provided it's hard to say which one it is. To determine whether the user is signed in, log firebase.auth().currentUser right before running the query. - Frank van Puffelen
That's not the Problem. The user is signed in and also admin. The answer below is correct. - Andri

1 Answers

2
votes

It looks like you're expecting that security rules should filter the documents in the query that match some user's role. This isn't going to work, because security rules are not filters. Please read the linked documentation carefully.

When you perform a query for multiple documents, security rule should be definitely allowing all of those documents to be fetched. It will not look at each document individually to figure out if it's allowed to be read. If the rule system determines that any one of the documents might not be allowed, then the entire query fails.