Search code examples
fluttergoogle-cloud-firestorefirebase-security

Firestore rules: why the caller does not have permission to execute the specified operation?

I have a collection with documents that have the following fields

  • uid: it is the user ID of the user who created the document
  • anotherId: it is another id
  • andAnotherId: it is another id
  • date: it is the date of creation in seconds plus 1,000,000 seconds

enter image description here

In flutter I have the following query

    _firestore
      .collection('subscriptions')
      .where('anotherId', isEqualTo: '1')
      .where('andAnotherId', isEqualTo: '2')
      .where('date', isGreaterThanOrEqualTo: dateInSeconds)
      .limit(1)
      .get()
      .then(....

I would like to set up a rule where only the user who created the document can read the document. I have written the following but it is not working. Does anyone know why??

    match /subscriptions/{item} {
      allow read: if request.auth != null
                  && request.auth.uid == resource.data.uid;
   }

Note that it works if I write this rule (but I would like to avoid other user can read documents created by other users)

    match /subscriptions/{item} {
      allow read: if request.auth != null;
   }
Solution

  • I have solved by changing the query as follow but still I am not getting why it did not work before

    _firestore
  .collection('subscriptions')
  .where('uid', isEqualTo: uid)
  .where('anotherId', isEqualTo: '1')
  .where('andAnotherId', isEqualTo: '2')
  .where('date', isGreaterThanOrEqualTo: dateInSeconds)
  .limit(1)
  .get()
  .then(....