1

These are the rules for saying only a logged in user can access a document named with their user id in realtime db. I'm asking how to do this in Firestore, except the name of the documents isn't the userid, but the username (which is the first part of the email)

I have seen this done before when the document names are the uid, but my documents names are the username of the user, and the username is stored as the part before the @ in the authentication email.

For example, I have these users:

  • john@gmail.com

  • jane@gmail.com

and my firestore is:

collection: users

  • john

  • jane

Only a user logged in as john@gmail.com should be able to write to the john document in users. I couldn't figure out how to get the email out of the auth variable.

Is there a way to do this without renaming my documents to user id?

Sheshank S.
  • 3,053
  • 3
  • 19
  • 39
  • The security rules you're showing apply to the Realtime Database, while your question and tag indicate Cloud Firestore. While both databases are part of Firebase, they're completely separate, and the security rules for one don't apply to the other. To fix the error, you will have to set the rules for the Cloud Firestore. For a walkthrough of how to do that, see https://stackoverflow.com/a/52129163 – Frank van Puffelen Aug 27 '19 at 19:00
  • Yes I'm using CloudFirestore – Sheshank S. Aug 27 '19 at 19:00
  • I meant for cloudfirestore how would I do it. I don't have any realtime db set up – Sheshank S. Aug 27 '19 at 19:01
  • my question is how to check if the first part of the email of the user is the name of the document they want to edit – Sheshank S. Aug 27 '19 at 19:02
  • @Frank van Puffelen – Sheshank S. Aug 27 '19 at 19:10
  • I suggest you go back and edit the question to more clearly show what the problem is. It's still showing Realtime Database security rules. – Doug Stevenson Aug 27 '19 at 20:22
  • @DougStevenson Yes I'm saying I know how to do part of it in the realtime database, but I want to know how to do it in firestore. I can remove that part if you want – Sheshank S. Aug 27 '19 at 20:28
  • Are you sure you wouldn't rather use the authenticated user's UID as the ID for the document? That will making writing your rules a whole lot more simple, and it won't break when you have users with different email domains than gmail.com. – Doug Stevenson Aug 27 '19 at 20:30
  • im getting input as usernames, so im creating an instance in authentication as a fake email like "username@gmail.com". I also need to be able to view others users documents, and I can't get another users uid using their username – Sheshank S. Aug 27 '19 at 20:33
  • @DougStevenson is there anyway to access the email from the rules? it says the only two things `requests.auth` are `uid` - not useful for me, and `token` - not sure what this is – Sheshank S. Aug 27 '19 at 20:33
  • There is plenty of documentation about this. https://firebase.google.com/docs/firestore/security/rules-conditions#authentication – Doug Stevenson Aug 27 '19 at 20:34
  • @DougStevenson yes but none of it shows how to access the email. only `uid` – Sheshank S. Aug 27 '19 at 20:35

1 Answers1

6

I found out you can get the email of the user with request.auth.token['email']. I'm able to just use this for allowing anyone to read, only people who aren't authenticated to create, and for updating and deleting user can only update/delete their own document (with emails):

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{email} {
      allow read;
    }
    match /users/{email} {
      allow update, delete: if request.auth.token['email'] == email;
      allow create: if request.auth.uid != null;
    }
  }
}
Sheshank S.
  • 3,053
  • 3
  • 19
  • 39