Firebase (Firestore) security rules, limit access to object for specific users

Question

I need to limit access to Meeting objects stored in Firestore to specific user ids (meeting participants).

Meeting example:

{
    name: "Topic 1";
    participantsIds : [
        "0YClg4mgljK8m16znDrW",
        "xFRCam5joc3nDW5jHWT5"
    ];
}

To load meetings from Firestore for specific participant I can easily use where query with “array-contains” operator.

How to write Firestore security rule to prevent read for users which are not meeting participants (not in participantsIds array)?

Is there a better approach to store participants on meeting and easily query and write security rules?

Doug Stevenson Doug Stevenson · Accepted Answer · 2020-03-25T20:59:31

Firestore List type fields show up as List objects in security rules. You can use the in operator to check if an element exists in a list. Assuming that you're using Firebase Auth to identify users, this will allow only users listed in the participantsId field to read the document:

match /your-meetings-collection/{id} {
  allow read: if request.auth.uid in resource.data.participantsId
}

Firebase (Firestore) security rules, limit access to object for specific users

1 Answers