How To use Firebase Auth with Firestore in flutter

1
votes

I have a flutter application based on cloud_firestore and firebase_auth, I Add user (blue button) by Authentication firebase, and kept the ID in the code so that this user is the administrator, regular users can create an account by application (email and password), What I want is to make sure the administrator is the only one can delete data from the database, while the rest of the users are only allowed to read and write, so I did this:

I changed roles in my Cloud Firestore project to this:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
      allow delete : if request.auth.uid == 'psqxVzX6BvYCuWbajhcEK1QGZOo1';
    }
  }
}

Is this true or not, and how can Firebase be sensitive to uid?

Maybe my question is how to send the uid with the firestore request.

Thank you in advance

1
firebaseflutterdartgoogle-cloud-firestorefirebase-authentication
There is no need to send the id to Firestore as part of the request. It is automatically handled by the Firestore plugin. You could check that out by making a new account and try to delete a document - Uni
I created a new user, were able to delete Document, and this is opposed the rolls - farouk osama
Thats because your rule is wrong. Sorry, I didn't notice how you wrote your rule but you allowed to read and write if the request is null. By default, write means create, update, and delete. You can test if your rule works in their sandbox - Uni
I appreciate your effort, thank you, but there is (create, update), I am new to Firebase - farouk osama
Please replace the picture of your rules with the actual rules as text. In general: don't post pictures of text. - Frank van Puffelen

1 Answers

1
votes
  1. If you have a write rule, that rules allows create, update and delete operations.
  2. If you have multiple rules for the same operation, they are OR'ed together.

This means that your allow read, write: if request.auth != null allows any authenticated user to create, update and delete any document in the database.

If you only want to allow any authenticated user to create or update a document, but only want the user with that specific UID to delete documents, you have to explicitly name those operations:

allow read, create, update: if request.auth != null;
allow delete: if request.auth.uid == 'psqxVzX6BvYCuWbajhcEK1QGZOo1';

For full info, see the documentation on granular operations.