How to structure firebase rules with friend requests?

3
votes

I have a Firebase Cloud Firestore app with a collection of friendships and a collection of friendship-requests. Each document in these collections has the uid of the two friends (for friendships) or potential friends (for friendship-requests). Once the second friend accepts the request, the document is moved from the friendship-requests collection to the friendships collection.

When the app loads, the current user queries the friendships collection for documents that contain their uid, makes a list of the other uid's in those documents (these are the uid's of their friends), then queries the users collection using this list to retrieve data about their friends.

What is a good strategy for how I could write firebase rules to stop people from accessing the data of users that haven't accepted their friend request?

1
firebasereact-nativegoogle-cloud-firestorefirebase-security
When you say "general strategy", what are you looking for? The general strategy for all security rules is to allow only the access to each user that they should have to specific data. Anything after that is a matter of actually writing the rules that meet those requirements. The documentation is full of information about how rules work. Do you have a specific problem about writing rules that you're trying to address, based on what you know from the docs? firebase.google.com/docs/firestore/security/get-startedDoug Stevenson
@DougStevenson By general strategy, I mean that I'm a bit lost as to where I should start for how to check inside documents of the friendships collection for the right uid's and stop people from forging friendships documents. Is there a way to query collections within the firebase rules, like a more powerful version of the get() function?harold__hadrada
No, security rules do not have querying capability. That would not scale at all for large collections. You will need to structure your data in such a way that works with the capabilities of security rules.Doug Stevenson
@DougStevenson can you please add this as an answer.marian.vladoi

1 Answers

1
votes

Security rules do not have querying capability. That would not scale at all for large collections. You will need to structure your data in such a way that works with the capabilities of security rules.