My get(/databases/) call is not working in Firestore security rules ... Why? | C2C Community

My get(/databases/) call is not working in Firestore security rules ... Why?

  • 7 May 2023
  • 1 reply
  • 11 views

 

Hi

 

I am new to the community but I have gathered that this is a good place to discuss and learn about Firebase technology, so that’s what I’d like to do.

 

My first post is about something I have been struggling with recently, and something which has led me to suspect that there’s a bug in the Firestore platform.

 

To replicate the situation I have, please arrange a Firestore in the formation shown in the images below:

 

/users/ = chief parent collection (empty) 

 

/userA/ & /userB/ are empty first-level sub-collections

 

/exclusiveA/ , /otherDetails/ and /signInData/ are parallel second-level sub-collections

 

/exclusiveB/, /otherDetails/ and /signInData/ are parallel second-level sub-collections

 

Okay, so to avoid any confusion, all of the data in the Firestore formation above, is two sub-collections beneath the chief parent collection.

 

What I have tried to achieve, is for the ‘exclusiveA’ sub-collection to be read by ‘userB’ users, if the value of the ‘creditCard’ (a boolean) is false.

 

The security rules I wrote are: 

 

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {  
  
  match /users {
     
// if a rule isn't specified, Firestore denies by default
          allow read;
  }
  
  match /users/{docId}/userA {
          allow read;
  }
  
  match /users/{docId}/userB {
          allow read;
  }
  
  match /users/{docId}/userA/{docId2}/exclusiveA/{docId3} {
  
      
// allow read if user: (1) has a uid, (2) has creditcard = false
          allow read: if request.auth.uid != null && get(/databases/$(database)/documents/users/$(docId)/userB/$(docId2)/exclusiveB/$(request.auth.uid)).data.creditCard == false;
  }
  
  match /users/{docId}/userB/{docId2}/exclusiveB/{xcluB} {
          allow read: if resource.data.uid == request.auth.uid;
  }
  
  match /users/{docId}/userA/{docId2}/otherDetails/{id} {
          allow read: if request.auth.uid == resource.data.id;
  }
  
  match /users/{docId}/userB/{docId2}/otherDetails/{id} {
          allow read: if request.auth.uid == resource.data.id;
  }

  }

}

 

So, despite the Firestore formation above and the security rules above, Firestore’s response is:

 

[cloud_firestore/permission-denied] The caller does not have permission to execute the specified operation.

 

Can you help to explain why the get(/databases/) call within the security rules is failing please?

 

With thanks.

 

 


1 reply

Userlevel 7
Badge +16

@damisparks do you think you could help? I remember you were an expert on Firestore? :)

Reply