This question already has answers here:
Cloud Firestore: Enforcing Unique User Names
(8 answers)
Closed 3 years ago.
I am currently trying to verify before a user creates data in the database if the data exists. Even unter an other Document id.
Like this: User creates data, firestore rules gets all documents in collection and checks if the property name is the same as from the user provided. If yes, return unauthorized access.
At this point I have:
function checkIfCatExists(){
return get(/databases/$(database)/documents/category/$(documents)).data.name != null;
}
But this does not work. Do you guys have an idea? I could create a function for that but I want to do as much as possible with rules.
There is no way to search a collection for a specific value in security rules, as that operation wouldn't scale.
If you want to ensure unique user names, you'll have to create a collection where you use the user names as the key. You can then use the exists function in your security rules, to check if the name already exists in the collection.
Also see:
Cloud Firestore: Enforcing Unique User Names
Firestore security rule to check if character username already exists
Firestore security rules - can I query for a document with specific fields?
I want to write a rule that will don't allow add same document second time
Related
My database is quite simple. A collection and inside, there are documents with user information, including their username.
(I am doing this in flutter and firestore).
What I want is to prevent two users from having the same username.
I am doing this to insert the data.
FirebaseFirestore.instance.collection('users').add({
'username': 'username',
'desc': 'some bio',
'fieldone': 'aaa',
'fieldtwo': 'bbb',
// other user info
});
And to consult the data of a user (by their username).
FirebaseFirestore.instance.collection('users').where('username', isEqualTo: 'username').get();
At the moment I insert the data, what can I do to verify that said username is already in the database?
So if the username already exists, return an error and don't let insert it. And if it doesn't exist yet, it can be inserted.
What query can help me for this?
I am new to firebase. :(. Thanks.
What query can help me for this?
This can't be accomplished by a single query. You will have to take the steps you outlined already in your question. You will have to first query for documents with that username, then only insert a new one if there were none found.
However, you should be aware that there is a race condition here. If two people are trying at the same time to add the same username, it's possible that they both end up adding a document.
The only way to ensure uniqueness in Firestore is using the document ID. You might want to consider using the ID of the document to store the username (or some version of it, like a hash) so that a race condition can never occur, and that you only have one document with that username.
See also:
Firestore unique index or unique constraint?
Cloud Firestore: Enforcing Unique User Names
Unique field in Firestore database + Flutter
firebase rule for unique property in firestore
As you can see, your issue has already been thoroughly discussed on Stack Overflow.
I have the following data as shown in the image.
I want to make sure that the username field is unique. How can I enforce that? Bear in mind that my document id is already unique and I don't want to use my username as the document ID
There is no way to enforce unique values of fields in Firestore. The only uniqueness you can guarantee is the document IDs within a collection, so the solution is to create a new collection where the user names are used as document IDs.
This has been discussed a few times before, so I recommend checking out:
Firestore security rule to check if character username already exists
Check a document field for a specific value in Cloud Firestore
I want to make unique usernames in firebase/firestore, which shows some of the relevant security rules.
Cloud Firestore: Enforcing Unique User Names
Firestore unique index or unique constraint?, a more complete write-up with code and rules samples.
Cloud Firestore: Enforcing Unique User Names
This question already has answers here:
Firestore unique index or unique constraint?
(5 answers)
Enforcing unique userIds in Firebase Firestore
(1 answer)
firebase rule for unique property in firestore
(2 answers)
Closed 2 years ago.
I have a Firestore document collection called registrations. Inside registrations, there are documents that contain name, phone number, and age of persons. I want to write the security rules database which allows the creation of person document if and only if another person with the same name does not exist on the database
Thanks in advance
It sounds like you want to keep your names distinct, such as with a UNIQUE constraint in SQL.
It is not possible to query specific document fields in Firestore security rules.
There are two ways to do what you want with Firestore:
use name as your document id
or create a collection /usedNames with name as document id, so that in your security rule you can test:
let name = request.resource.data.name;
return exists(/usedNames/$(name)) == false
This question already has answers here:
How to allow only particular fields of a firestore document to be accessed publicly
(2 answers)
Can I restrict certain fields in firestore database to be only fetched by firebase admin?
(2 answers)
Closed 2 years ago.
I am trying to implement security rule to limit users to access only specific fields inside a document. My data structure goes like this:
document {
name: John,
dob: 1994,
email: john#hotmail.com
}
I want to limit the name field to read, write by owner; dob field to read by owner, create by owner; email to read by owner, update by owner
I read the documentation, and it seems that I can only control access of a specific document with security rules. It didn't mention anything to allow access to a specific field. What I should do in order to allow access to specific fields inside a document?
Security rules can't be used to limit access to individual fields in a document. If a user has direct read access to a document, they can always read every field in the document.
Your only alternatives here are:
Split the restricted fields into a document in another collection, and protect that collection differently.
Reject direct access to the collection entirely, and force users through an API endpoint that strips out the restricted fields based on the user's identity, which was passed to the endpoint.
I have three types of collections in my database.
User
Post
Like
I make a 'like' document such that it has a _user and _post attribute that stores the user and post id respectively.
Currently I am writing a database rule such that a 'like' document is not created if there already exist a document which has the attribute value _user with the user trying to create the object and the _post which has the id the user is liking.
How do I write a rule for this situation ?
I don't think Firestore has any rules that can enforce this at the moment. But I do have some suggestions for alternative approaches:
1. Replicate the like user id to the Post with a cloud function:
You can set up a Firebase Cloud Function that triggers on Create operations of the Like collection. This Cloud Function writes the id of the user into an array on the post called like_users. Then you can have a rule that say:
allow create: if request.auth.uid not in get(/databases/$(database)/documents/Post/$( request.resource.data._post).data.like_users;
(Only problem with this solution, I don't think there is such a thing as "not in", this needs some research)
2. Check if there is a duplicate with a Cloud Function:
You can set up a Firebase Cloud Function that triggers on Create operations of the Like collection. In the function you query for Like documents with the same user and post id. If a document already exists, you delete the most recent one.
3. Restructure your database:
You could remove the Like collection, and instead have an array called "like_users" on the Post collection. This will need you to put a rule that checks if the user exists in the "like_users" array, so I think we might have the same problem as in alternative 1. You will also need to have rules saying that the user is not allowed to update the other fields of the document, which is possible.