0

I need help in creating some Firestore security rules to work with queries in my code. So I have tried using HashMap as below, 'sharedWith' is a hashmap field in my document:

...
  sharedWith
        abc@gmail.com : true
        zzz@gmail.com : true     
...

My security rule I tried setting up as below:

allow read: if isSignedIn() && resource.data.sharedWith[request.auth.token.email]=="true"

What I am expecting to happen is when user 'zzz' is logged in, that user should be able to read this document (which is created by some other user)

My query is as follows:

db.collection("Sites")
        .whereEqualTo("sharedWith."+"zzz.@gmail.com",true)
        .get()
        .addOnSuccessListener { result -> ...

Where am I going wrong please?

Error I am getting is as folows:

Listen for Query(Sites where sharedWith.zzz@gmail.com == true order by name) failed: Status{code=PERMISSION_DENIED, description=Missing or insufficient permissions., cause=null}

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Damandroid
  • 756
  • 9
  • 31
  • Your error shown has nothing to do with security rules. In Firestore, period is a special character. See [this](https://stackoverflow.com/questions/49643235/firestore-how-to-update-a-field-that-contains-period-in-its-key-from-andro) and [this](https://stackoverflow.com/questions/47801910/cannot-update-delete-firestore-field-with-period-in-the-name) for more information. – Doug Stevenson Mar 03 '19 at 19:45
  • In general, you're **much** better off using the UID of the user, as given by Firebase Authentication. Email addresses are problematic. – Doug Stevenson Mar 03 '19 at 19:47
  • The problem is that userA dows not know the UID of other users, just the email address – Damandroid Mar 03 '19 at 19:56
  • The avoid using a period in the field values, or find a way to escape them (I don't know offhand). – Doug Stevenson Mar 03 '19 at 20:29
  • Thanks Doug! One concern arises though i.e if I remove all control/period characters in my code and queries, how do I change it in rules 'request.auth.token.email'? – Damandroid Mar 03 '19 at 20:36
  • https://stackoverflow.com/questions/47070823/using-the-replace-function-in-firestore-security-rules – Doug Stevenson Mar 03 '19 at 21:14
  • tried adding : function replace(string, replace, by) {return string.split(replace).join(by);} and updated security rule to ** resource.data.sharedWith[replace(request.auth.token.email,'.',',')]=="true";** but I think join is not supported, I checked this page: https://firebase.google.com/docs/reference/rules/rules.String. Anythning else I can try? – Damandroid Mar 03 '19 at 22:15

0 Answers0