My get(/databases/) call is not working in Firestore security rules ... Why? | C2C Community

My get(/databases/) call is not working in Firestore security rules ... Why?

  • 7 May 2023
  • 1 reply




I am new to the community but I have gathered that this is a good place to discuss and learn about Firebase technology, so that’s what I’d like to do.


My first post is about something I have been struggling with recently, and something which has led me to suspect that there’s a bug in the Firestore platform.


To replicate the situation I have, please arrange a Firestore in the formation shown in the images below:


/users/ = chief parent collection (empty) 


/userA/ & /userB/ are empty first-level sub-collections


/exclusiveA/ , /otherDetails/ and /signInData/ are parallel second-level sub-collections


/exclusiveB/, /otherDetails/ and /signInData/ are parallel second-level sub-collections


Okay, so to avoid any confusion, all of the data in the Firestore formation above, is two sub-collections beneath the chief parent collection.


What I have tried to achieve, is for the ‘exclusiveA’ sub-collection to be read by ‘userB’ users, if the value of the ‘creditCard’ (a boolean) is false.


The security rules I wrote are: 


rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {  
  match /users {
// if a rule isn't specified, Firestore denies by default
          allow read;
  match /users/{docId}/userA {
          allow read;
  match /users/{docId}/userB {
          allow read;
  match /users/{docId}/userA/{docId2}/exclusiveA/{docId3} {
// allow read if user: (1) has a uid, (2) has creditcard = false
          allow read: if request.auth.uid != null && get(/databases/$(database)/documents/users/$(docId)/userB/$(docId2)/exclusiveB/$(request.auth.uid)).data.creditCard == false;
  match /users/{docId}/userB/{docId2}/exclusiveB/{xcluB} {
          allow read: if == request.auth.uid;
  match /users/{docId}/userA/{docId2}/otherDetails/{id} {
          allow read: if request.auth.uid ==;
  match /users/{docId}/userB/{docId2}/otherDetails/{id} {
          allow read: if request.auth.uid ==;




So, despite the Firestore formation above and the security rules above, Firestore’s response is:


[cloud_firestore/permission-denied] The caller does not have permission to execute the specified operation.


Can you help to explain why the get(/databases/) call within the security rules is failing please?


With thanks.



1 reply

Userlevel 7
Badge +28

@damisparks do you think you could help? I remember you were an expert on Firestore? :)