1

How can I write a security rule that limits the number of document created in a batch?

My use case is that on user creation, I create the user document containing its data, and I also create a few other docs - in the same collection. How can I limit the number of such creations to 5 for instance? I could explicitly name the documents "1", "2", "3", "4" and "5" but this would not be pretty

match /users/{user}/subcoll/{subcolldoc}{
  allow create: if request.auth.uid != null
    && request.auth.uid == user
    && getAfter(/databases/$(database)/documents/users/$(user)).data.createdon == request.time // So it is in the same batch/
    && subcolldoc in ["1", "2", "3", "4", "5"]
l1b3rty
  • 3,333
  • 14
  • 32
  • You're going to need a lot more than just a security rule to do this, since Firestore doesn't keep document counts for you. Full details of one possible solution are in the duplicate. Warning: it's a long journey to get there. – Doug Stevenson Feb 27 '20 at 16:12
  • And why would my solution not work? It's a workaround that will effectively only accept 5 docs max – l1b3rty Feb 27 '20 at 17:48
  • If your solution works for your case, then use it. It can not possibly work for more than 10 documents, since that is the limit of the number of gets you can use in a single evaluation. – Doug Stevenson Feb 27 '20 at 18:02
  • The point with my solution is that I explicitly name the document that can be created, so here there are only 5 possibilities, and I don't allow updates, so only 5 can be created – l1b3rty Feb 29 '20 at 22:25
  • OK, if it works for you, then use it. – Doug Stevenson Feb 29 '20 at 22:38

0 Answers0