Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firestore replication data creation and rules #6707

Open
ben12 opened this issue Jan 2, 2025 · 2 comments
Open

Firestore replication data creation and rules #6707

ben12 opened this issue Jan 2, 2025 · 2 comments

Comments

@ben12
Copy link

ben12 commented Jan 2, 2025

I am trying to implement this kind of rules in Firestore database (https://firebase.google.com/docs/firestore/security/insecure-rules#open_access):

service cloud.firestore {
  match /databases/{database}/documents {
    // Allow only authenticated content owners access
    match /some_collection/{document} {
      // Allow reads and deletion if the current user owns the existing document
      allow read, delete: if request.auth.uid == resource.data.author_uid;
      // Allow creation if the current user owns the new document
      allow create: if request.auth.uid == request.resource.data.author_uid;
      // Allow updates by the owner, and prevent change of ownership
      allow update: if request.auth.uid == request.resource.data.author_uid
                    && request.auth.uid == resource.data.author_uid;
    }
  }
}

In replication configuration I set filter to be conform with the rules:

        pull: {
          filter: [
            firestore.where("author_uid", "==", getAuth()?.currentUser?.uid),
          ],
        },

But this do not work for data creation because push do a get by ids without the pull filter configuration.

Even though all documents returned by the query have the correct "author_uid", "resource.data.author_uid" is not the result of the query but the potential result obtained using the query criteria (https://firebase.google.com/docs/firestore/security/rules-conditions#rules_are_not_filters) :

Cloud Firestore security rules evaluate each query against its potential result and fails the request if it could return a document that the client does not have permission to read. Queries must follow the constraints set by your security rules.

So, using Firestore replication plugin, it is impossible to implement rules based on the values ​​of the result data fields.
@pubkey
Copy link
Owner

pubkey commented Jan 4, 2025

Can you reproduce this in a unit test?

@ben12
Copy link
Author

ben12 commented Jan 5, 2025

I can reproduce this in an unit test, but when I try to fix it, it not works :/

getDocs(document, where("author_uid", "==", ownerId)) works, but
getDocs(document, where("author_uid", "==", ownerId), where(documentId(), "in", ids)) does NOT work,
getDocs(document, where("author_uid", "==", ownerId), where(documentId(), "==", id)) does NOT work.

I also tried with real firestore instead of emulator, with the same result.

I do not find any explanation or issue about this behavior...
And I am surprised because it is the default example in Firebase documentation (and in yours).

For my project I changed for the user uid in the collection path, but It could be fine for share data between users (with a public boolean field for example).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ben12 @pubkey