1

I have the following firestore db structure (image 1). I want (unauthenticated) users of my web app to be able to see each plumber public profile which contains reviews (image 2) they get from the won jobs. My question is how could i safely expose UID of each user who has made one of those reviews. Hopefully my question makes sense.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }
}

db structure the ui i want to archive

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Stas Pegov
  • 37
  • 5
  • What do you mean by safely expose? There isn't any risk with UIDs as long as your security rules don't allow anyone to write or read unauthorized content. Checkout [this answer](https://stackoverflow.com/questions/42620723/firebase-database-risks-associated-with-exposing-uid-on-the-client-side) – Dharmaraj Sep 22 '21 at 12:22
  • Hello Dharmaraj, thank you for sharing the link! Since my review sub collection is located at users collection which is private i cannot come up with the solution to safely show the sub collection publicly. The following review sub collection contains "Job ID" which is associated to Jobs collection and it has multiple IDs. Hope this make sense :D – Stas Pegov Sep 22 '21 at 12:50
  • What are you trying to hide in this case from the review document? It's private but you still want to show it to all users is confusing a bit. Are you saying users can only read and not write something ? – Dharmaraj Sep 22 '21 at 12:51
  • Not trying to hide anything, i just want to prevent possible data leaks or data manipulation by others. Firestore allows to show publicly sub collection which is located in the private collection? Thank you once again :D – Stas Pegov Sep 22 '21 at 12:54
  • Can you add your security rules in your question ? – Dharmaraj Sep 22 '21 at 12:55
  • Your current rules allow anyone who is authenticated read/write anything in database. Nothing seems to be private here. Is your question asking how to write rules for your use case ? – Dharmaraj Sep 22 '21 at 13:05
  • Im working on rules write now, yes you are right. I am trying to archive the correct form of writing rules for my case so i could prevent leaks. – Stas Pegov Sep 22 '21 at 13:08
  • 1
    In that case you should explain who can access those collections and provide more details so we know what rules would be appropriate for your use case. – Dharmaraj Sep 22 '21 at 13:43
  • Here is a link to one of the public profiles of my project: "https://liberameapp.com/plumberprofile?query=Qb5aUuAaMvMFJUOVNqDKgmDzulD2". Basically i want (unauthenticated and authenticated) users be able to see all the reviews of completed jobs. Reviews is a sub collection which is located in "Users" collection. "Users" collection contains personal data such as emails and phone numbers. I don't want to show that data. – Stas Pegov Sep 22 '21 at 14:08

1 Answers1

0

If you want to allow users to read/write their own user document and allow anyone to read their reviews, try these rules:

rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, update: if request.auth.uid == userId;
      
      match /reviews/{reviewId} {
        allow read: if true;
        allow write: if request.auth.uid == resource.data.userId
      }
    }
  }
}

Here only the poster of review and write (update/delete) it and any unauthenticated users can read them. However they cannot access the User document.

You can read more about security rules in the documentation.

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84