Only allow document to be read if ID is known

Question

I have a collection named proposals, which I want to disable listing on it and allow only get if user know the ID.

Is it possible with Firebase?

My currently fails because "read" is allowed, but without this I can't read the document.

match /proposals/{uid} {
  allow list, update, delete: if false;

  allow create, read: if true;
}

Lucas David Ferrero · Accepted Answer · 2021-12-01T19:56:53.720

It's pretty common to do this kind of authorization, and yes, it's possible. Firestore Security Rules provide to us request.auth.uid which contains the UID of the user making the request or null if it's unauthenticated.

So, you could use that information with an equality operator:

match /proposals/{uid} {
  allow list, update, delete: if false;

  // Allow getting Documents if the Document ID is equal to the currently uid of the authenticated user who is making the request.
  allow get: if request.auth.uid != null && request.auth.uid == uid;
  allow create;
}

You should use get to define rules that will apply when any user is trying to get a document. Note that read is for any type of read request, which includes get and list.

More about Security Rules and Authentication: https://firebase.google.com/docs/rules/rules-and-auth

`request.auth.uid == uid` Will only allow read document with equal value as user ID. — Mises, Dec 01 '21 at 18:51

Only allow document to be read if ID is known

1 Answers1