2

Security Rules

I am trying to grant permission based at a document field:

    match /users/{user}/{documents=**} {
            allow read, write: if resource.data.uid == request.auth.uid
    }

Firebase query

Here is how my query looks:

query(collection(db, "users", match.params.uid, "promotors"));

Error message

But I keep geting this message:

FirebaseError: Missing or insufficient permissions.

Davi Cheli Miquelim
  • 123
  • 9

1 Answers1

1

Your query is not in any way checking the data in a field in the documents, so it will never meet this part of your rules: resource.data.uid.

Instead what you seem to have is a case where the document ID matches the UID of the user, which you can check with:

match /users/{user}/{documents=**} {
    allow read, write: if user == request.auth.uid
}

Also see the documentation on content owner only access.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Hey Frank! In my use case I am passing a hashed uid in the query. And, the real uid is in a field inside the document (also the document id is the hashed uid). I am going to update my question with that information. – Davi Cheli Miquelim Dec 17 '21 at 01:19
  • 1
    There is no query in the code you shared. The `match.params.uid` you pass is interpreted as a document ID. I recommend first making it work with a non-hashed UID (keep in mind: [UID values are not secret](https://stackoverflow.com/questions/37221760/firebase-is-auth-uid-a-shared-secret)] before moving on to more complex scenarios. – Frank van Puffelen Dec 17 '21 at 01:23
  • I got it working without the hashes. But once I added hashes I could not get it to work. But, I checked the llink that you sent and it seems that hashing the uid is useless – Davi Cheli Miquelim Dec 17 '21 at 01:26