This question already has answers here:
Firebase Firestore security rule: Only allow collection group query if filtering by a specific field
(2 answers)
Firestore Security Rules: Passing a request parameter in a get() call?
(1 answer)
Can I send value with request to Firestore rules
(2 answers)
Firebase Firestore - security rule based on "where" query parameters
(1 answer)
Closed last year.
I have the following Firestore query which can be invoked by a non-Firebase user (the sessionId is just a session id - not a Firebase user id):
const q = query(collection(firestore, "apples"), where("sessionId", "==", sessionId));
I am thinking that I need a Firestore rule to prevent access to the whole apples collection. I just want the user to access the documents where the sessionId field matches the sessionId of the requester.
I tried (which does not work):
match /apples/{appleID} {
allow read: if request.resource.data.sessionId == resource.data.sessionId;
}
But if I have understood the reference correctly - request.resource is only available on write requests.
How can I solve this issue?
Related
This question already has answers here:
Firestore unique index or unique constraint?
(5 answers)
Enforcing unique userIds in Firebase Firestore
(1 answer)
firebase rule for unique property in firestore
(2 answers)
Closed 2 years ago.
I have a Firestore document collection called registrations. Inside registrations, there are documents that contain name, phone number, and age of persons. I want to write the security rules database which allows the creation of person document if and only if another person with the same name does not exist on the database
Thanks in advance
It sounds like you want to keep your names distinct, such as with a UNIQUE constraint in SQL.
It is not possible to query specific document fields in Firestore security rules.
There are two ways to do what you want with Firestore:
use name as your document id
or create a collection /usedNames with name as document id, so that in your security rule you can test:
let name = request.resource.data.name;
return exists(/usedNames/$(name)) == false
This question already has answers here:
How to allow only particular fields of a firestore document to be accessed publicly
(2 answers)
Can I restrict certain fields in firestore database to be only fetched by firebase admin?
(2 answers)
Closed 2 years ago.
I am trying to implement security rule to limit users to access only specific fields inside a document. My data structure goes like this:
document {
name: John,
dob: 1994,
email: john#hotmail.com
}
I want to limit the name field to read, write by owner; dob field to read by owner, create by owner; email to read by owner, update by owner
I read the documentation, and it seems that I can only control access of a specific document with security rules. It didn't mention anything to allow access to a specific field. What I should do in order to allow access to specific fields inside a document?
Security rules can't be used to limit access to individual fields in a document. If a user has direct read access to a document, they can always read every field in the document.
Your only alternatives here are:
Split the restricted fields into a document in another collection, and protect that collection differently.
Reject direct access to the collection entirely, and force users through an API endpoint that strips out the restricted fields based on the user's identity, which was passed to the endpoint.
This question already has answers here:
Upload Image to Firebase Storage with the current users UID
(1 answer)
Get uid in firebase function onFinalize for firebase storage
(1 answer)
GET UID from firebase cloud functions
(1 answer)
Closed 2 years ago.
How to get uid of the authenticated user from the storage trigger below:
exports.storageSizeCounter = functions.storage.object().onFinalize(async (object, context) => {...});
auth/uid is available during security rule evaluation but it seems like it's not passed to the trigger (like in context.auth).
Any way to get the uid inside the storage trigger?
This question already has answers here:
Cloud Firestore: Enforcing Unique User Names
(8 answers)
Closed 3 years ago.
I am currently trying to verify before a user creates data in the database if the data exists. Even unter an other Document id.
Like this: User creates data, firestore rules gets all documents in collection and checks if the property name is the same as from the user provided. If yes, return unauthorized access.
At this point I have:
function checkIfCatExists(){
return get(/databases/$(database)/documents/category/$(documents)).data.name != null;
}
But this does not work. Do you guys have an idea? I could create a function for that but I want to do as much as possible with rules.
There is no way to search a collection for a specific value in security rules, as that operation wouldn't scale.
If you want to ensure unique user names, you'll have to create a collection where you use the user names as the key. You can then use the exists function in your security rules, to check if the name already exists in the collection.
Also see:
Cloud Firestore: Enforcing Unique User Names
Firestore security rule to check if character username already exists
Firestore security rules - can I query for a document with specific fields?
I want to write a rule that will don't allow add same document second time
This question already has answers here:
Getting the user id from a database trigger in Cloud Functions for Firebase?
(2 answers)
Closed 5 years ago.
Is is possible to get the user UID of the user who wrote/updated/deleted data from the database?
When you are using Firebase authentication you can get the uid of the authenticated user using the following lines of code:
FirebaseUser firebaseUser = firebaseAuth.getCurrentUser();
if (firebaseUser != null) {
String uid = firebaseUser.getUid();
}
On the other hand, you need to know that Firebase does not store meta-data or other informations regarding write operation. To achieve this, you need to create your own mechanism.
In your case, when a user creates a record, store his uid on a location from where you can query for that particular uid and use it for what you want.
In case you are trying to determine this within Cloud Functions i recomand you take a look at Firebase Cloud Functions and at jacobawenger's answer from this post