Firestore permissions

Question

How do I configure permissions so that a user can only read and write documents where they are the owner? my documents have a top level attribute called owner.

I read these docs
https://firebase.google.com/docs/firestore/security/secure-data?authuser=0#the_resource_variable

and it seems like this should work?

service cloud.firestore {
  match /databases/{database}/documents {
    match /analysis/{analysis} {
      allow read, write: if request.auth.email == resource.data.owner
    }
  }
}

however this doesn't seem to work. i continuously get insufficient permission error. What do i need to change?

Update:

After reading the docs @Doug Stevenson linked I decided to go with

service cloud.firestore {
  match /databases/{database}/documents {
    match /analysis/{analysis} {
      allow read, write: if request.auth.uid == resource.data.owner_uid;
    }
  }
}

So my original intent was that when we do a list operation:

a. only those documents belonging to a user are returned
b. only documents a user owns can be read or written by that user.

With the above configuration b. is accomplished.
how do I do accomplish a. ?

score 5 · Accepted Answer · answered Nov 24 '17 at 13:11

5

According to the documentation, you should use request.auth.token.email (not request.auth.email).

answered Nov 24 '17 at 13:11

Doug Stevenson

297,357
32
422
441

Good catch! That `token` in there messes me up every time. :-/ – Frank van Puffelen Nov 24 '17 at 16:52
Thanks @doug stevenson. I've udpated my question above. let me know if you think it's better suited to a new question. – w-- Nov 27 '17 at 12:43

score 4 · Answer 2 · answered Dec 07 '17 at 00:26

To answer your update question part (a):

I has a similar issue - I had my rules set correctly to allow that user to read and write. However, Firestore needs us to have our queries match the firestore database rules. So the query on the front should match what that user has access to. So my issue was I was asking for all products in the collection. What I needed to change it to was asking for all products in the collection where the "owner" of the product matched the logged in user, like this:

db.collection('products').where('owner', '==', firebase.auth().currentUser.uid).get()

Hope this helps

thanks. i re asked my question seperately here https://stackoverflow.com/questions/47472230/firestore-permissions/47685677#47685677 and got the same answer — w--, Dec 08 '17 at 01:31

Firestore permissions

2 Answers2

Linked