1

I want to implement the following constraints:

  • Users can save movies (titles) and view the title uploaded by other users too.
  • All users must be able to access all of the movies, but must only be able to edit/add/delete their own.
  • Users should not be able to view in any way who added a movie, only if that person is them. (I would like to make it so they can't even view if "X" and "Y" movie are from the same user)
  • User can have up to 3 movies added (this number is the client's requested one, but what if they change their mind, how to make it scalable?)

I have users logging in with firebase authentication, thus getting a user uid. I would like to make most constraints/checks on firestore server side, wherever possible, using firestore rules, on whatever other technology I don't know of as of writing this question.

I have thought of the following structures:

movies: {
  userUid1: {
    movie1:{
      name: "dummy name 1"
    },
    movie2:{
      name: "dummy name 2"
    }
  },
  userUid2: {
    movie1:{
      name: "first dummy name"
    },
    movie2:{
      name: "second dummy name"
    },
    movie3:{
      name: "third dummy name"
    }
  }
}

or:

movies: {
  movieUid1: {
    name: "dummy name 1",
    userId: "userUid1"
  },
  movieUid2: {
    name: "dummy name 2",
    userId: "userUid1"
  },
  movieUid3: {
    name: "dummy name 3",
    userId: "userUid2"
  },
  movieUid4: {
    name: "dummy name 4",
    userId: "userUid2"
  },
  movieUid5: {
    name: "dummy name 5",
    userId: "userUid2"
  }
}

This project is only for some friends, so nothing serious, but still I would like to structure the best way possible. I don't think this is relevant, but I use flutter to create the app.

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84
KijeviGombooc
  • 304
  • 2
  • 13

2 Answers2

2

If you need to track number of movies saved by a user (or store any user related information later), you can try the following structure:

users -> { userId } -> movies -> { movieId }
(col)      (doc)       (col)       (doc)

Any user related user information can be stored in user's document and their movies in a sub-collection.

Users can save movies (titles) and view the title uploaded by other users too.

You can then use Collection Group queries to list all movies.

All users must be able to access all of the movies, but must only be able to edit/add/delete their own.

You can use security rules for that. These rules should work:

match /users/{userId}/movies/{movieId} {
  // Only authenticated users can read
  allow read: if request.auth != null;

  // Only the user who added movie can write/delete
  allow write: if request.auth != null && request.auth.uid == resource.data.author;
}

You need to store the user's UID in movies document for the above rules to work. You can use get() to read data from user's document.

User can have up to 3 movies added

You can add a rule that reads number of movies added by user from user's document and reject create if that value is 3.

You can checkout this answer to read more about root level collections and sub-collections:

Are there any benefits of using subcollections in firestore?

Dharmaraj
  • 47,845
  • 8
  • 52
  • 84
  • "You can add a rule that reads number of movies added by user from user's document and reject create if that value is 3." How should I approach this? As far as I know, I cannot count documents in a firestore rule. – KijeviGombooc Feb 21 '22 at 13:13
  • 1
    @KijeviGombooc so whenever user adds a movie you increment an int field in user document and decrement when user removes it. You can always read that int from user doc in security rules . – Dharmaraj Feb 21 '22 at 13:33
  • I know how to read that counter information, but is there a way for me to write that server side? As far as I know I cannot write fields in a rule. – KijeviGombooc Feb 21 '22 at 14:13
  • It would be unsafe to update from client though, isn't it? That would mean the user could add a movie and set the counter to zero, right? For me, this isn't really a problem cause it's just for friends, of course. – KijeviGombooc Feb 21 '22 at 14:21
  • 1
    @KijeviGombooc true, [Cloud Firestore triggers](https://firebase.google.com/docs/functions/firestore-events) for Cloud function might be useful. – Dharmaraj Feb 21 '22 at 14:34
0

Generally speaking, I think the typical approach would be to do both. Firestore doesn't do a great job on a query like "show me all movies in the movie collection with userID xyz" or "find me the movie record xyz that's buried under some user who I don't know".

So typically, if you need to look up a specific movie, as well as get a list of all movies for one user, you would store the data in both ways and then use triggers (in this case Firebase functions) to keep them in sync.

The answer to this post (What is denormalization in Firebase Cloud Firestore?) has a great explanation.

Dov Rosenberg
  • 673
  • 6
  • 20