Search code examples
firebasegoogle-cloud-platformgoogle-cloud-firestorefirebase-security

How to use wildcards in firebase security rules

I'm trying to use a wildcard in my firebase security rules but it's not working like the online documentation describes. enter image description here

I want to return the entire itineraryList collection but the security rules aren't working.

match /itinerary/{userId=**}/itineraryList/{doc} {
  allow read: if request.auth.uid == userId; 
  allow write: if request.auth.uid == userId;
}

What is the correct syntax here to give authenticated users access to the entire list?

Solution

  • Update following your comments:

    If you want to give read access to any authenticated user to all documents under the itinerary collection (including sub-collections), do as follows:

    service cloud.firestore {
  match /databases/{database}/documents {
      match /itinerary/{docId=**} {
          allow read: if request.auth.uid != null;
      }   

      //possibly add another rule for write

  }
}

    Initial answer:

    This is because by doing {userId=**} you are using the "recursive wildcard syntax", see https://firebase.google.com/docs/firestore/security/rules-structure#recursive_wildcards. It will correspond to the "entire matching path segment".

    You should do:

    service cloud.firestore {
  match /databases/{database}/documents {
      match /itinerary/{userId}/itineraryList/{doc} {
        allow read: if request.auth.uid == userId; 
        allow write: if request.auth.uid == userId;
      }  
  }
}

    You may also watch this official Firebase video about Firestore security rules, it explains this point, among others: https://www.youtube.com/watch?v=eW5MdE3ZcAw