Firebase security rule with user based access - Permission denied error

0
votes

My app tries to read documents under the collection 'Sites'. I did a simulated read operation which works fine as is as follows:

Profile/'actual profile id'/Sites/'actual site id'

This simulated read works probably because I am reading a pre-defined document. I am not sure.

My security rule is as follows:

match /Profile/{profile}/Sites/{site} {
 allow read: if isOneOfRoles (get(/databases/$(database)/documents/Profile/$(profile)/Sites/$(site)),['FULL', 'OWNER', 'VIEW']);
}

function getRole(rsc) {return rsc.data.SHARED_WITH[request.auth.token.email];}

function isOneOfRoles(rsc, array) {return isSignedIn() && (getRole(rsc) in array);}

And finally my query is as follows:

Firestore.instance.collection('Profile/${_firebaseUser.uid}/Sites')
        .where('ARCHIVE',isEqualTo: false)
        .orderBy('DATE',descending: true)
        .getDocuments();

My database structure looks like the following: enter image description here I am getting permission denied error in my console. Need help in understanding where am I going wrong?

1
javascriptfirebasegoogle-cloud-firestorefirebase-security
Please edit the question to show the full rule, including the match statement. The partial rules you're showing now are not sufficient to understand what's going on. You should also show the relevant data in the database that would be used to make a decision about whether or not to allow access. - Doug Stevenson

1 Answers

1
votes

The rule is rejecting your query because Firebase security rules are not filters. You can't use a rule to limit the set of documents that would match the query.

Right now, your query demands to know all documents where ARCHIVE = true, but your rule does not allow the query of documents that are dependent on some other documents that are based on data in the query. The rules engine will not read and check each any every one of those other documents - this is does not scale at all.

You will have to find another way of structuring your data, perhaps by putting the permission within each document itself, and using those permissions as part of the query filter.