0

The firestore can't get data with specific fields (ref).

I am using firestore in the flutter. It will not safety when I fetch all fields of a collection in the client app. The user can read some fields that the user shouldn't read.

Why firebase doesn't generate this function?

What I should do?

How do most people solve this problem?

Should I generate a sub-collection with only one document that is secret fields?

Should I generate a new collection containing the document id field that is the document id of a secret document that contains secret fields?

Or anything else, I am new to NoSQL and Firebase. Please, suggest me. Thank you.

Sittiphan Sittisak
  • 486
  • 4
  • 15

1 Answers1

2

The two most common options are indeed to:

  1. Have a single top-level collection with the public information and then a subcollection under the user document with its secret/non-public information, typically indeed with a single document.
  2. Have two top-level collections, one with the public information and one with the secret/non-public information for all users.

In both cases you can then secure access to the documents with security rules.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
  • Hi, thank you for the information. This is understandable. However, I just realized that my app has 5 roles and my employers want to show different information for each role. It's something very delicate. The options in this post can work with my app but this will be difficult and messy. Do you know why the firestore in the flutter doesn't make some function that can fetch specific fields or this function is developing? – Sittiphan Sittisak Oct 10 '22 at 15:43
  • 1
    Both security rules and local caching work on a document level, and would become a lot more complex if they had to check each document's contents. It'd mean the database couldn't meet its [performance guarantees](https://stackoverflow.com/questions/60228104/firebase-firestore-query-performance), which are pretty unique. --- The server-side SDKs do have the ability to read select fields, because they bypass security rules and don't implement offline caching. – Frank van Puffelen Oct 10 '22 at 17:57
  • I understood now. This is a limitation of the client side for good performance. – Sittiphan Sittisak Oct 10 '22 at 18:19