0

I have 2 collections: users and applications. Application documents have userID as a key that is a reference the a user. When I submit an application I want to check if that userID from this application is contained in any of the users' documents. Is that possible? This is my rules for now but it's not working:

match /applications/{application} {
    allow create: if request.auth.uid != null && request.resource.data.userID != request.auth.uid;
Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
Kristian Kamenov
  • 347
  • 1
  • 3
  • 12

1 Answers1

2

What you're trying to do isn't possible in security rules, since they don't have the ability to make a query. You can only get() individual documents, up to a limit of 10 per rule. If you need to do this, you'll have to program that in some backend, and have the client submit the new application through that endpoint. The backend code can query the database.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441