Firestore rules for document field

firebase google-cloud-firestore firebase-security
Edblocker picture Edblocker · Apr 19, 2018 · Viewed 10.9k times · Source

I'm struggling within Firestore to set security rules for a document. With the RTDB is was possible to set rules for a specific object property and I'm trying to do the same with Firestore.

RTDB Code:

"users": {
    ".read": true,
    ".indexOn": ["profile/name"],
    "$uid": {
        ".read": "auth != null",
        ".write":
            "$uid === auth.uid && !data.exists()",
        "profile": {
            "birthday": {
                ".write": "$uid === auth.uid"
            },
            "name": {
                ".write": "$uid === auth.uid"
            },
            "banned": {
                ".write": "root.child('admins').child(auth.uid).exists()"
            }
        }
    }
}

Below the same code in Firestore:

service cloud.firestore {
    match /databases/{database}/documents {
        match /users/ {
            allow read
            match /{$user} {
                allow read: if request.auth.uid != null
                allow write: if request.auth.uid == request.resource.id &&  exists(/databases/$(database)/documents/users/$(request.resource.id)) === false

                match /birthday {
                    allow write: if request.auth.uid == request.resource.id
                }
                match /name {
                    allow write: if request.auth.uid == request.resource.id
                }
                match /banned  {
                    allow write: get(/databases/$(database)/documents/users/$(request.auth.uid)).data.userType > 3
                }

            }
        }
    }
}

When I'm writing security rules for a subcollection it's working fine. But for a document field it's not working. Is this not possible or is there a special path segment in the match reference? The documentation doesn't state anything about this.

Answer

Jason Berryman picture Jason Berryman · Apr 19, 2018

You can do this by checking the request.resource.data property. As shown in this section of the documentation. You only need to match the document level. You check the field rules with an if condition.

However, you are unable to control read access to individual fields. A user can either read a whole document or not. If you need to store private data, consider adding this to a sub-collection of the user document.

Here is an example

service cloud.firestore {
  match /databases/{database}/documents {
    // Make sure all cities have a positive population and
    // the name is not changed
    match /cities/{city} {
      allow update: if request.resource.data.population > 0
                    && request.resource.data.name == resource.data.name;
    }
  }
}

Related questions

Missing or insufficient permissions when writing to Firestore using field in access rules

I am getting an error when attempting to write to Firestore. I am attempting to use a field containing the user uid for my security rule. service cloud.firestore { match /databases/{database}/documents { match /messages/{document=**} { allow read: if resource.…

Read More
Email: [Firebase] Client access to your Cloud Firestore database expiring in X day(s)

I got an email that indicates I was developing in "test mode", but that it left my database completely open to the internet. The default rules I initially accepted look like this: rules_version = '2'; service cloud.firestore { match /…

Read More
In Cloud Firestore rules - How do I check if a key is null

In Cloud Firestore Rules - I have a document called task and I want to see if some data (assignee field) is null / don't exists. I've tried: resource.data.assignee == null - Does not work (Error) !resource.data.hasAll(['assignee']) …

Read More