I am trying to run a get() Security role but it wont trigger correctly, the Inquiry just gets blocked.
My Dababase Structure:
groups (collection) > groupUid (Document)
|-groupUid: 1
|-groupLeader: N0NobC2qnRdVSQ7rrpXKeYg6BtA2
groupsUsers (collection) > groupUserUid (Document)
|-authUid: 94jksJGAZihZp0jaMCmctzsEnGo1
|-groupUid: 1
|-groupUserUid: 123
Now i want to make a security rule, when deleting a groupsUsers Document, it should check if the signed in person who delets it has the authUid of the groups groupLeader
match /groupsUsers/{itemId}{
allow read: if isSignedIn();
allow delete: if isOwner(resource.data) &&
isSignedIn();
function isOwner(groupsUser) {
return(
get(/databases/$(database)/documents/groups/$(groupsUser.groupId)).data.groupLeader == request.auth.uid ||
get(/databases/$(database)/documents/groups/$(groupsUser.groupId)).groupLeader == request.auth.uid
)
}
}
i checked to just read the document and that works, so i am signed in correctly, i am signed in as N0NobC2qnRdVSQ7rrpXKeYg6BtA2 so i should be able to delete the groupsUsers doc, because groupLeader == request.auth.uid should return true, but it wont work, can anyone help?
i made a mistake in the query, groupId should have been groupUid. Question is solved by @grimsteel