User to access only his/her document in Firestore

Question

I'm struggling by setting the firestore rules.

As per the screenshot, I have collection for the user with dynamic document IDs.

I'm trying to set a rule for the user to access only his/her document.

FbId is facebook id (since it is the authentication way in my app)

userId is firebase id (not sure if it is important to save it or not)

Here is my current rule:

match /users/{document=**} {
  allow read, write: if normalUser();
  }

  function normalUser() {
  return request.auth.token.firebase.sign_in_provider == "facebook.com"
  && request.auth.uid != null;
}

This rule gives access to the authenticated user for the whole collection.

How can I set this rule? If there is anything I need to change in the structure?

Update: I don't want to change the documentid for the user collection to match userid because I have another collection where the user could have multiple documents; so this solution won't fit everything.

Thanks

Doug Stevenson Doug Stevenson · Accepted Answer · 2019-08-15T14:40:02

It will be far easier for you to use the Firebase Authentication UID of the user as the ID of the document. The Facebook UID is not going to be available in security rules.

If you use the Firebase UID, you can then write rules that look like the ones in the documentation for user-based security. Click through and read where it says "Another common pattern is to make sure users can only read and write their own data". This is probably what you want to do.

service cloud.firestore {
  match /databases/{database}/documents {
    // Make sure the uid of the requesting user matches name of the user
    // document. The wildcard expression {userId} makes the userId variable
    // available in rules.
    match /users/{userId} {
      allow read, update, delete: if request.auth.uid == userId;
      allow create: if request.auth.uid != null;
    }
  }
}

User to access only his/her document in Firestore

2 Answers