I am using Firebase Cloud Firestore, and I want to modify my rules to restrict users from querying a collection.
This should not be allowed:
firestore().collection("users").get()
But this should be allowed:
firestore().collection("users").doc("someUserId").get()
Currently, my rules look like this:
match /users/{userId} {
allow read;
}
but this rule allows the "users" collection to be queried.
How can I allow single document gets, but not collection queries?
You can break read rules into get and list. Rules for get apply to requests for single documents, and rules for list apply to queries and requests for collections (docs).
match /users/{userId} {
//signed in users can get individual documents
allow get: if request.auth.uid != null;
//no one can query the collection
allow list: if false;
}