there are collections "company" "orders" and "users"
all collections have their own id.
how to create a rule according to which the user can see only those documents from "orders"
who belong to the same company as him.
"users" documents have a company_id field, and documents do. In general, so that the user could not see other people's orders, please tell me how to create a rule?
rules_version = '2';
service cloud.firestore {
function userCompanyOrders(currentUid,companyId){
return request.auth!=null && resource.data.company_id == companyId&&
/databases/companies/resource.data.id == companyId && }
match /databases/{database}/documents {
match /{document=**} {
allow write, read: if
request.auth != null;
}
}
}
Related
I am collecting my admin users uid's as documents in "admins" collection. I want to allow users to read if they have their uid's in that collection as a document.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /admins/{document=**} {
allow write; // Everyone should be able to write
allow read: if request.auth.uid == ; // Only read if /admins/{youruid}
}
}
}
You can use exists() to check if a document exists. Try refactoring your rules as shown below:
match /admins/{document=**} {
allow read: if exists(/databases/$(database)/documents/admins/$(request.auth.uid));
// Only read if /admins/{youruid}
}
You can read more about exists() in the documentation.
I mean I want to check to be sure the document id of the request is the same as the document id in the database.
I tried this but it doesn't work:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read: if request.resource.id == userId;
}
}
}
Also tried this and it also didn't work:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read: if request.resource.id == resource.id;
}
}
}
I've searched online for hours and every single post is about using authentication uid.
if you want to make sure the uid in request matches name of the user document, then use this:
match /users/{userId} {
allow read, update, delete: if request.auth != null && request.auth.uid == userId;
}
and if you want to allow new users to be created add this too:
allow create: if request.auth != null;
more details : https://firebase.google.com/docs/firestore/security/rules-conditions
I have collection Users which has documents with the same Id as the user.uid. I want to allow logged in users to create documents and only update, delete and read their documents which is specified with the same UID as mentioned.
I tried this but it keeps failing.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{document} {
allow create, : if request.auth != null;
allow update, delete, read: if request.auth != null && request.auth.uid == request.resource.data.UID;
}
}
}
In this code i am trying to compare the uid of the logged user with a document field called UID
Have a look at the documentation, it shows exactly the response to your question.
service cloud.firestore {
match /databases/{database}/documents {
// Make sure the uid of the requesting user matches name of the user
// document. The wildcard expression {userId} makes the userId variable
// available in rules.
match /users/{userId} {
allow read, update, delete: if request.auth != null && request.auth.uid == userId;
allow create: if request.auth != null;
}
}
}
The key point is to use the {userId} wildcard expression to match the ID of the document being read/updated/deleted with the uid of the user (i.e. request.auth.uid);
I need some help making my security rules for firestore work.
These are my firestore rules:
service cloud.firestore {
match /databases/{database}/documents {
match /orders/{orderID} {
allow read, update: if request.auth.uid == resource.data.buyerId || request.auth.uid == resource.data.sellerId;
}
}
}
my orders collection:
orders: {
sellerId: 'some-id',
createdAt: timestamp,
buyerId: 'some-id'
}
It should return all documents from orders collection which has either buyerId or sellerId equal to authorised user (request.auth.uid).
but the above rule is not working as expected.
firestore collections screenshot
firebase simulator output
That error message is suggesting that the requested document was not actually present in the database. You entered "orders/{orderId}", which looks like you put a wildcard in the Location field in the simulator. That's not going to work. You need to enter the path to an actual document that exists if you want to test your rule that uses its field values.
resource.data: Null - this error happens when you try to create a new entity.
Split write rule, on create and update.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /user/{userId} {
allow read: if request.auth.uid == userId;
function authed() {
return request.auth.uid == userId;
}
allow create: if authed() && request.resource.data.keys().hasOnly(['name']);
allow update: if authed() && request.resource.data.diff(resource.data).changedKeys().hasOnly(['name']);
allow delete: if authed();
}
}
}
My database is built in a way that each User has his own document in users collection, that document's id is equal to the users id, and inside the document there is a collection of Tasks for each user.
when i use:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.uid != null;
}
}
}
Everything works and a logged in user (i only log-in users with google provider) is able to read and write to the database, in his own collection of tasks (haven't tried writing to another user's tasks, but i assume it is possible in the given situation). But i want to restrict the users to only be able to write and read their own tasks, i tried the following:
service cloud.firestore {
match /databases/{database}/documents {
match /users/{user} {
allow read, write: if request.auth.uid == resource.id;
}
}
}
But it does not work.
a scheme of my database:
database
any ideas?