Using contains() with firebase rules

0
votes

I am trying to set a custom rule in Firestore using the following documentation: https://firebase.google.com/docs/reference/security/database/#containssubstring

I'm using the custom claims for this.

What works:

match /calendar/{calendar} {
    allow read: if request.auth.token.customData == "calendar-read,calendar-write";
}

What doesn't work and I don't know why:

match /calendar/{calendar} {
    allow read: if request.auth.token.customData.contains("calendar-read");
}

This will give me: "FirebaseError: Missing or insufficient permissions"

1
firebasegoogle-cloud-firestorefirebase-securitycontains
You are mixing up the security rules for the Realtime Database (cf. the link in your question) and for Firestore (match /calendar/{calendar}). You need to give more detail on how you set the Custom Claims in order for us to help you. - Renaud Tarnec

1 Answers

0
votes

Since you are using Firestore, you should use the API documentation for Firestore String, not Realtime Database String. You will see that there is no method called "contains" for Firestore strings.

If you want to check if there is a substring contained within a string, you should use matches() instead, and provide a regular expression to match with.

allow read: if request.auth.token.customData.matches(".*calendar-read.*");

The above should return true if request.auth.token.customData contains the string "calendar-read" anywhere within it.

If you are using a comma-separated list of values, consider instead using split() and list.hasAny() to be more clear.