Firebase Firestore - security rule based on “where” query parameters

0
votes

I'm trying to secure requests to a collection to allow any single get, but to allow list only if a specific key is matched.

Database structure is like this:

posts
  post1
    content: "Post 1 content"
    uid: "uid1"
  post2
    content: "Post 2 content"
    uid: "uid1"
  post3
    content: "Post 3 content"
    uid: "uid2"

The Firestore query I'm making from Vue:

// Only return posts matching the requested uid

db
  .collection("posts")
  .where("uid", "==", this.uid)

The security rules I'd like to have would be something like this:

match /posts/{post} {
  allow get: if true // this works
  allow list: if [** the uid in the query **] != null

I want to do this so you can list the posts of a specific user if you know their uid but can't list all posts of the system.

Is there a way to access the requested .where() in the security rules or how can I write such rule or structure my data in this case?

Relevant & credits:

  • Seemingly, I can make a request on a query's limit, offset, and orderBy. But there's nothing on where. See: #1 & #2.

  • I copy-pasted much from this question. I don't see how the accepted answer answers the question. It seems like it answers another case where a user is allowed to list some other users' posts. That is not my case; in my case, what's public is public. So, it doesn't answer the main question in my case, it seems.

1
firebasegoogle-cloud-firestoreangularfire2firebase-security

1 Answers

1
votes

There's currently no way, using security rules, to check if a field is being used in query. The only thing you can do is verify that a document field is being used as a filter using only values you allow.

Instead, consider duplicating enough data into another collection organized like this:

user-posts      (collection)
  {uid}         (document using UID as document ID)
     posts      (subcollection)
       {postId} (documents using post ID as document ID)

This will require the client to call out a UID to query in order to get all the posts associated with that user. You can store as much information about the post documents as you like, for the purpose of satisfying the query.

Duplicating data like this is common in NoSQL databases. You might even want to make this your new default structure if you don't want your users to query across all posts at any given moment. Note that a collection group query naming the "posts" subcollection would still query across all posts for all users, so you'd have to make sure your security rules are set up so that this is enabled only when you allow it to happen.

Also note that UIDs are typically not hidden from users, especially if your web site is collaborative in nature, and you combine multiple users' data on a single page.