Access your own data, shared data, or designated data with Firebase rules

Question

Access your own data, shared data, or designated data with Firebase rules

Seeking guidance on implementing firebase rules and queries for Firestore in a Vue.js application.

Requirement: User must be authenticated

User can read/write their own data entries
User can read data with "visibility" field set to "public"
User can read specific entries using document ID, even if "visibility" is not public (e.g. "private")

Assume the collection contains entries created by different users:

User-B can read/write the 2nd entry
User-A, B, C can read 1st and 3rd entries
User-A, C can read 2nd entry with known document ID

Is "user_id" field required to filter self-created documents or does Firebase provide built-in functionality based on authentication?

[
  {
    "user_id": "User-A's firebase id",
    "foo": "foo",
    "bar": true,
    "visibility": "public"
  },
  {
    "user_id": "User-B's firebase id",
    "foo": "foo",
    "bar": true,
    "visibility": "private"
  },
  {
    "user_id": "User-C's firebase id",
    "foo": "foo",
    "bar": true,
    "visibility": "public"
  }
]

Requesting assistance with creating rules and queries using this npm package.

Current query for retrieving self-created entries:

this.db.collection("my_collection").where('user_uid','==',this.$store.state.user.id).get().then((querySnapshot) => {
      querySnapshot.forEach((doc) => {
        //do something 
      });
    });

Create entry query:

db.collection("my_collection").add({
    user_uid: this.$store.state.user.id,
    foo: this.foo,
    bar: this.bar,
    visibilty: this.visibility
  })

Existing rule:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth.uid != null;
    }
  }
}

javascript firebase vue.js google-cloud-firestore firebase-security

Answer 1

Answer №1

When it comes to Firestore, there is no automatic linking of documents to the users who created them. If you require such metadata, it must be stored in each document individually.

In order to ensure that a user is only able to access their own documents, two key elements are necessary:

A tailored query that specifically targets and retrieves those particular documents – which you already have covered ✔.
Rules need to be put in place to permit the query while blocking broader data access requests.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null && request.auth.uid == resource.data.user_uid;
    }
  }
}

To delve deeper into this topic, refer to the documentation on securely querying data.

If you wish to accommodate other scenarios, you will need to expand your rules to grant access accordingly. However, keep in mind that separate queries will be necessary for each case since Firestore queries cannot encompass OR conditions across multiple fields – a requirement specific to your use-case.

Answer 2

When it comes to Firestore, there is no automatic linking of documents to the users who created them. If you require such metadata, it must be stored in each document individually.

In order to ensure that a user is only able to access their own documents, two key elements are necessary:

A tailored query that specifically targets and retrieves those particular documents – which you already have covered ✔.
Rules need to be put in place to permit the query while blocking broader data access requests.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null && request.auth.uid == resource.data.user_uid;
    }
  }
}

To delve deeper into this topic, refer to the documentation on securely querying data.

If you wish to accommodate other scenarios, you will need to expand your rules to grant access accordingly. However, keep in mind that separate queries will be necessary for each case since Firestore queries cannot encompass OR conditions across multiple fields – a requirement specific to your use-case.

Access your own data, shared data, or designated data with Firebase rules

Answer №1

Similar questions

Sails.js navigating through sessions

Tips for improving performance with ng-repeat directive?

What sets MongoDB Shell Scripting apart from JavaScript?

Searching for matching strings in jQuery and eliminating the parent div element

The design template is failing to be implemented on my personal server utilizing node.js

Error message: 'Vue is not defined' when using RequireJS

Performing mathematical computations through a mixin without relying on inline javascript code

What is the most efficient way to organize an array by date?

Ensure the buttons within v-card-actions are responsive to different screen sizes

Webpack is throwing an error stating that it cannot find a module with the relative path specified

Issue with the dueChange event not functioning properly in Ionic 5 and Vue 3 duet picker

Ways to efficiently transfer multiple files from a server to a client using Express in NodeJS

Create a website specifically designed to showcase the functionality and capabilities of an API

Using jQuery code within PHP pages is a convenient and powerful way to

Enhance the angular 2 dependencies within the angular2-cli project

Having issues with setting up nodejs on kali linux

The table headers in the second table do not match the queryAllSelector

When implementing require('devtron').install(), it triggers the error message "Uncaught TypeError: Cannot read property 'BrowserWindow' of undefined" within an Electron application

Drop-down menu for every individual cell within the tabular data

Is the reference to a variable within an array maintained by JavaScript?