Firebase security rules that check for the incoming request email
I'm creating a Flutter Todo app that allow users to add a task for himself or he could send it to another user via their account email.
My Firebase database have the following fields:
title, isChecked, recipient, sender, senderUID
My current Firebase security rules are as following
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isOwnerOrAdmin(reminder, auth) {
let isOwner = auth.token.email == reminder.recipient;
let isAdmin = auth.token.isAdmin == true;
return isOwner || isAdmin;
}
match /todos/{todo} {
allow create if
// User is author
request.auth.uid == request.resource.data.authorUID;
allow update, read, delete: if isOwnerOrAdmin(resource.data, request.auth);
}
}
}
- Is auth.token.email the correct syntax to check for the incoming request email?
- To access to a doccument field (for example: recipient), which one is more syntactically correct, request.resource.data.recipient or resource.data.recipient?
Thank you!
Is auth.token.email the correct syntax to check for the incoming request email?
Yes, since you're passing request.auth as your auth variable, auth.token refers to the token for the user that sent the current request.
To access to a doccument field (for example: recipient), which one is more syntactically correct,
request.resource.data.recipientorresource.data.recipient?
Both are valid (otherwise you'd have gotten a syntax error when saving these rules), but they do something slightly different.
resource.datais the data as it exists before the current operations start.request.resource.datais the data as it will exists if the current operation succeeds. So in write operations this contains the modified data.
So you can for example use both to determine whether the data modification that was done is valid/acceptable