Search code examples
firebasesecuritygoogle-cloud-firestorefirebase-security

How should the get-function call be expressed within Firestore Security Rules?

I have set Firestore security rules to read data conditionally, and I am finding that despite the conditions, data which isn't meant to be read is still being read.

I believe that the security rules I have written comply with the directions given within the Firestore manuals, so I'm unsure of how this problem can be solved.

Could you take a look at the details below and offer your feedback please?

My security rules are:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
      
    match /{users}/{eID} {
    allow create, read: if false;
    
       match/{userA}/{eID} {
       allow read: if false;
       
         match/{exclusiveA}/{preferredCurrency} {
         allow read, get: if request.auth != null && get(/databases/$(database)/documents/users/
              $(request.auth.uid)).data.creditCard == 'false' &&
              get(/databases/$(database)/documents/users/
              $(request.auth.uid)).data.currency == resource.data.preferredCurrency;
          }
        }
      }
    }
  }
}

My Firestore structure is as seen in the images below:

enter image description here

enter image description here

enter image description here

enter image description here

enter image description here

enter image description here

What is meant to happen is, the exclusiveA collection is to be looked into, but Firestore is to offer data to the user only where a field: preferredCurrency (within a field of the exclusiveA collection) and field: currency (within the exclusiveB collection) match. This would result in only one document being read-able by the user.

The result of the rules as they are, is that the user can read every document within the collection:

D/EGL_emulation(15692): app_time_stats: avg=3519.32ms min=63.38ms max=13687.19ms count=4
I/flutter (15692): The vehicle's maximum speed = 250.
I/flutter (15692): The vehicle's pulling strength = 500 bph.
I/flutter (15692): The vehicle's brand is CMW, and its model-name is K325S.
I/flutter (15692): The preferred currency = USD.
I/flutter (15692): The vehicle's maximum speed = 200.
I/flutter (15692): The vehicle's pulling strength = 500 bph.
I/flutter (15692): The vehicle's brand is Vercedes, and its model-name is QWE223.
I/flutter (15692): The preferred currency = GBP.

Many thanks for your time and for your assistance for resolving this problem.

Solution

  • If Firestore security rules have multiple matches, then access is allowed if any of the conditions are true.

    In the code you shared, these lines allow access to all of your documents:

    match /{document=**} {
  allow read, write: if true;

    So the rest of the conditions do not matter. The user will be able to read and write all documents regardless of whether they meet your additional conditions.

    See the official Firestore Security Rules docs for more info: https://firebase.google.com/docs/firestore/security/rules-structure#overlapping_match_statements