Security

NoSQL Schema

Recommended schema is having the userId somewhere in the file path, and updating the Security Rules like so:
1
// Grants a user access to a node matching their user ID
2
service firebase.storage {
3
match /b/{bucket}/o {
4
// Files look like: "user/<UID>/path/to/file.txt"
5
match /user/{userId}/{allPaths=**} {
6
allow read, write: if request.auth.uid == userId;
7
}
8
}
9
}
Copied!

Sub-collections

If you use something like {allPaths=**}, this also includes subcollections. If you have set up conditionals based on the response object, you will need to ensure that the condition exists at every level. For example:
1
// Grants a user access to a node matching their user ID
2
service firebase.firestore {
3
match /document/{database}/tables {
4
match /user/{userId}/{allPaths=**} {
5
allow read, write: if response.data.role == "ADMIN";
6
}
7
}
8
}
Copied!
This will expect even subcollections that matched with {allPaths=**} to have a field role. In order to get around this you want to set a full path:
1
// Grants a user access to a node matching their user ID
2
service firebase.firestore {
3
match /document/{database}/tables {
4
match /user/{userId}/{allPaths=**} {
5
allow read, write: if get(/document/$(database)/tables/user/$(request.auth.uid)).data.role == "ADMIN";
6
}
7
}
8
}
Copied!
​
Get started with Firebase Security Rules Β |Β  Firebase Documentation
Firebase
Last modified 1yr ago