Firebase Security Rule with attribute in database

2
votes

I need security rules for my firebase-app. My Data looks like this

{
     owner = "djskjfskdjf",
     data = "some data"
}

Collection Path is /Data/ I want that users that are authenticated users can read and create documents in this collection. To edit or delete documents, I want that the uid in the field owner is the same as the request.auth.id.

According to firebase documentation this should work:

service cloud.firestore {
    match /databases/{database}/documents {
        match /Data/{document=**} {
            allow read, create: if request.auth.uid != null;
            allow delete, write: if request.auth.uid == request.resource.data.owner;
        }
    }
}

But when I try to update a field in simulation it gives me the error: Error: simulator.rules line [5], column [51]. Property resource is undefined on object.

I hope you can help me with this problem.

1
firebasegoogle-cloud-firestorefirebase-authenticationfirebase-security
I suggest starting with the documentation and make an attempt to implement the rules you just described. Edit the post with the specific code that doesn't work the way you expect. firebase.google.com/docs/firestore/security/get-startedDoug Stevenson
Edited my post with what you asked forMcSlinPlay
Have you tried just resource.data.owner instead of request.resource.data.owner?Michael Bleigh
That gives a null value errorMcSlinPlay

1 Answers

3
votes

If your request isn't sending the all the required fields you're checking in rules, then request.resource.data.owner wont work (like if you are just sending data but not owner with the request).

You should use the below style to match an existing object in the database. It won't matter if the request omits the owner info. allow delete: if resource.data.owner == request.auth.uid;