0

This is my DB-Structure:

users (collection) -> user-docs (uid) -> wishlists (collection) -> wishlist-docs -> wünsche -> wünsche-docs

A user-document has the field username which should be readable for everyone, also not authorized users. Other then that all the docs and fields should only be readable if the user is authorized.

A wünsche-document has a field isReservedFrom which should be writable for every user who is authorized. For all the other fields/documents users can only write their own documents.

Right now this is what I have:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read;
      allow write: if request.auth != null;
    }
  }
}

This is not very secure and not exactly what I would like to have but I don't know how I should change it for my exact purpose. Happy for every help!

If anything is unclear just let me know!

Update

This is what I tried:

Everyone who is authorized shuold be able to write all docs and read. Only users shuold be readable for everyone. But I am messing something up with the syntax here...

service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
  allow write: if request.auth != null;
}
match /{users} {
    allow read;
}
match /{users}/documents/{allSubcollections=**} {
    allow read: if request.auth != null
}
}
}
Chris
  • 1,828
  • 6
  • 40
  • 108
  • On Stack Overflow, it's expected that you make an attempt at solving a specific problem, then post the code that doesn't work the way you expect, along with your debugging details. It doesn't look as if you've attempted anything yet - what you are showing is default rules. – Doug Stevenson Nov 02 '20 at 21:11
  • "A user-document has the field username which should be readable for everyone, also not authorized users. Other then that all the docs and fields should only be readable if the user is authorized." This is not possible with Firebase security rules. A document is either fully readable, or not readable at all. – Frank van Puffelen Nov 02 '20 at 21:14
  • @FrankvanPuffelen does the same go for `write`? – Chris Nov 02 '20 at 21:15
  • For writes you could ensure that only certain fields can have their value changed by comparing the `request.resource.data` with `resource.data`. Also see https://firebase.google.com/support/release-notes/security-rules#february_13_2020 – Frank van Puffelen Nov 02 '20 at 21:19
  • @FrankvanPuffelen ok got it thanks, I edited my question. Could you maybe help me out here? – Chris Nov 02 '20 at 21:28
  • @DougStevenson I updated my question – Chris Nov 02 '20 at 21:31
  • Your original question was only about reading documents, which is why I closed it as a duplicate of an existing question. If you want to limit write access to specific fields, open another question for that. But please show what you've tried based on the info and link I shared in my previous comment, as right now the rules in your edit show nothing based on that. – Frank van Puffelen Nov 02 '20 at 21:34
  • @FrankvanPuffelen I actually don't want that anymore. I am rearranging my database but for now what I want it the **Update** but it is not working.. – Chris Nov 02 '20 at 21:36

0 Answers0