9

This is a followup to this question
Firestore permissions

I'm trying to set rules on my firestore

service cloud.firestore {
  match /databases/{database}/documents {
    match /analysis/{analysis} {
      allow read, write: if request.auth.uid == resource.data.owner_uid;
    }
  }
}

My goal is
a. When doing a list operation only those documents belonging to a user are returned
b. only documents a user owns can be read or written by that user.

With the above configuration b. is accomplished.
how do I do accomplish a. ?

w--
  • 6,427
  • 12
  • 54
  • 92
  • you can achieve that client side with a query. i think your first problem is not possible with rules. – Hareesh Nov 28 '17 at 07:30

1 Answers1

21

Remember that firestore rules are not filters, they're a server-side validation of your queries. You should always make your queries match your rules, or else you'll get permission errors.

In your case you already made the rule to enforce reading/listing on user owned documents. Now you simply have to make the corresponding query with the right filters :

const userId = firebase.auth().currentUser.uid

db.collection("analysis").where("owner_uid", "==", userId)

Another thing. With your current rules, your users won't be able to create a new document, only edit an existing one, here are the updated rules to allow that :

allow read: if request.auth.uid == resource.data.owner_uid;

allow write: if request.auth.uid == resource.data.owner_uid
             || request.auth.uid == request.resource.data.owner_uid;
jeben
  • 585
  • 4
  • 8