Firestore Security Rules for CRUD Operations React

0
votes

I am relatively new to firebase and have been using it to integrate Firestore and authentication with a ReactJS app I'm working on.

I know that collections hold documents, and the documents in effect hold key value pairs. I have a collection of songs and within that I have the following fields:-

  1. Created Timestamp

  2. Lyrics

  3. Song Title

I am able to login a user with firebase authentication get the UID of the user when they sign in and create a new song, the entry is made to the database with the document ID as the UID.

All this only works if I have my rules set to 

match /{document=**} {allow read, write:}

When I change my rules to this:-

rules_version = '2';
service cloud.firestore {

  match /databases/{database}/documents {
  match /songs/{songID} {
     allow read:  if request.auth!=null;
     allow write: if isValid();
  }

  function isValid(){
     return request.resource.data.uid == request.auth.uid;
  }}}

I get the following error when I run it.

Unhandled Rejection (FirebaseError): Missing or insufficient permissions.

I just want to ensure that the logged in user can read, write and update his/her own songs and nothing apart from that.

1) I'm unable to understand how to frame the firebase rules to achieve this and prevent permission errros.

2) If I use the document ID as the UID, i.e the same document ID for 5 songs. How would I be able to update the song title/lyrics in the songs since the document ID for a particular user would be the same?

1
javascriptreactjsfirebasegoogle-cloud-firestorefirebase-security

1 Answers

1
votes

I'm unable to understand how to frame the firebase rules to achieve this and prevent permission errors.

The following rules will do the trick:

rules_version = '2';
service cloud.firestore {

  match /databases/{database}/documents {

    match /songs/{songID} {
       allow read:  if request.auth.uid == resource.data.uid;
       allow write: if isValid();
    }

    function isValid(){
       return request.resource.data.uid == request.auth.uid;
    }
  }
}

I would suggest you watch the very clear video embedded in this documentation page: https://firebase.google.com/docs/firestore/security/get-started?authuser=0

If I use the document ID as the UID, i.e the same document ID for 5 songs. How would I be able to update the song title/lyrics in the songs since the document ID for a particular user would be the same?

You cannot use the same Document ID for different Firestore document. The Document ID must be unique, by definition. The best is to let Firestore generate a Document ID (e.g. with the add() method) and add, within a document, the author uid, as you have already done (since you do request.resource.data.uid).

Then you can construct queries that filter the documents corresponding to the user uid. For example:

var user = firebase.auth().currentUser;

var songsRef = db.collection("songs");
var mySongsQuery = songsRef.where("uid", "==", user.uid);