Ad

How To Use Wildcards In Firebase Security Rules

I'm trying to use a wildcard in my firebase security rules but it's not working like the online documentation describes. enter image description here

I want to return the entire itineraryList collection but the security rules aren't working.

match /itinerary/{userId=**}/itineraryList/{doc} {
  allow read: if request.auth.uid == userId; 
  allow write: if request.auth.uid == userId;
}

What is the correct syntax here to give authenticated users access to the entire list?

Ad

Answer

Update following your comments:

If you want to give read access to any authenticated user to all documents under the itinerary collection (including sub-collections), do as follows:

service cloud.firestore {
  match /databases/{database}/documents {
      match /itinerary/{docId=**} {
          allow read: if request.auth.uid != null;
      }   

      //possibly add another rule for write

  }
}

Initial answer:

This is because by doing {userId=**} you are using the "recursive wildcard syntax", see https://firebase.google.com/docs/firestore/security/rules-structure#recursive_wildcards. It will correspond to the "entire matching path segment".

You should do:

service cloud.firestore {
  match /databases/{database}/documents {
      match /itinerary/{userId}/itineraryList/{doc} {
        allow read: if request.auth.uid == userId; 
        allow write: if request.auth.uid == userId;
      }  
  }
}

You may also watch this official Firebase video about Firestore security rules, it explains this point, among others: https://www.youtube.com/watch?v=eW5MdE3ZcAw

Ad
source: stackoverflow.com
Ad