Firestore security rules: get parameter to use in security rules

2
votes

I am currently writing some security rules to secure my firestore database, but I am having some issues. I want to be able to get data from my query parameters to put into my rules (I want to be able to use clientId):

db.collection('Users').doc(userId).where('connections', 'array-contains', clientId).get();

I want to be able to use the clientId in my firestore security rules so that I can query another collection using that client id, as I dont think that firestore security rules provides "where" capability in the get queries. Is this at all possible?

Like so: request.auth.uid in get(/databases/$(database)/documents/Users/$(clientId)).data.connections

Thanks for your help.

1
firebasegoogle-cloud-firestorefirebase-authenticationfirebase-security
Have you found a solution to this? I am struggling with the same problem. - matsmats
@matsmats no, I haven't unfortunatley. I don't think it's possible currently. - danwillm

1 Answers

0
votes

I've also been struggling with the same problem for a while and finally managed to solve it:

Database

/familyMembers/{familyMemberId}
{
    parents 
        userId1
            userId: "userId1"
        userId2
            userId: "userId2"
}

Security rules

match /familyMembers/{familyMemberId}/{document=**} {
    allow read, write: if resource.data.parents[request.auth.uid] != null;
}

match /anotherCollection/{familyMemberId}/{document=**} {
    allow read, write: if request.auth.uid in get(/databases/$(database)/documents/familyMembers/$(familyMemberId)).data.parents;
}

Query from Swift code

db.collection("familyMembers").whereField("parents.\(userId).userId", isEqualTo: userId).getDocuments()

Reference: https://groups.google.com/forum/#!searchin/firebase-talk/jannica%7Csort:date/firebase-talk/1rTmJmNyJNQ/x2P8vPdqAQAJ