Firestore rules validate email as id
730 views
Skip to first unread message
Tomasz Iniewicz
Mar 8, 2018, 10:46:20 PM3/8/18
to Firebase Google Group
Hi, question regarding firestore rules:
My current collection has documents whose id’s are email address and i am trying to validate an email address but can’t seem to select the "id" in the rule. I’ve tried the following; what am I missing?
- document.__id__
- document.__name__
- document.data.__id__
- etc...
Here is an example:
service cloud.firestore {
match /databases/{database}/documents {
match /newsletter/{document=**} {
allow read: if user.auth != null;
allow write: if resource.data['__name__'] == 'sampl...@killerdomain.com';
}
}
}
Kato Richardson
Mar 9, 2018, 2:10:47 PM3/9/18
to Firebase Google Group
Hi Tomasz,
It looks like the meta fields are on the resource object rather than the data object. So maybe just resource['__name__']?
☼, Kato
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5302066f-fa2e-49ba-8c82-89d95bb9ea0e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Tomasz Iniewicz
Mar 12, 2018, 11:11:14 PM3/12/18
to Firebase Google Group
Hi Sorry for the long reply but haven't had a chance to get back to this. I have tried this already but just in case I tried just now again in the following scenarios:
- allow write: if resource['__id__'] == 'pe...@gabriel.com';
- allow write: if resource['__name__'] == 'pe...@gabriel.com';
and I can't save an object with the following email: "pe...@gabriel.com".
My entire rule looks like this:
service cloud.firestore {
match /databases/{database}/documents {
match /newsletter/{document=**} {
allow read: if user.auth != null;On Friday, March 9, 2018 at 2:10:47 PM UTC-5, Kato Richardson wrote:
Hi Tomasz,It looks like the meta fields are on the resource object rather than the data object. So maybe just resource['__name__']?☼, Kato
On Thu, Mar 8, 2018 at 6:59 PM, Tomasz Iniewicz <tomasz...@gmail.com> wrote:
Hi, question regarding firestore rules:My current collection has documents whose id’s are email address and i am trying to validate an email address but can’t seem to select the "id" in the rule. I’ve tried the following; what am I missing?
- document.__id__
- document.__name__
- document.data.__id__
- etc...
Here is an example:
match /databases/{database}/documents {
match /newsletter/{document=**} {
allow read: if user.auth != null;
allow write: if resource.data['__name__'] == 'sampl...@killerdomain.com';
}
}
}
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5302066f-fa2e-49ba-8c82-89d95bb9ea0e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Kato Richardson
Mar 13, 2018, 12:27:02 PM3/13/18
to Firebase Google Group
Yeah, I tried the following rule and it still failed, so I'm guessing this doesn't work as one might expect looking at the ref.
allow write: if request.resource['__id__'] == 'foo'
|| resource['__id__'] == 'foo'
|| request.resource['__name__'] == 'foo'
|| resource['__name__'] == 'foo'
|| request.resource.data['__id__'] == 'foo'
|| resource.data['__id__'] == 'foo'
Let me see if I can find someone to comment on whether this is a docs problem or a bug.
☼, Kato
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/7ad679cc-491c-4895-9416-64ada09ea48d%40googlegroups.com.
Mike McDonald
Mar 13, 2018, 1:02:10 PM3/13/18
to Firebase Google Group
Hey folks,
Sorry for the confusion! You're on the right track, there's just a bit of confusion about the name "name" and "id":
- resource.__name__ is a path that represents the full resource name: /projects/projectId/databases/(default)/documents/collection/documentId
- resource.id is a string that represents the id of the document: documentId
Firestore provided metadata fields live in resource, while all developer provided fields live in resource.data. Often, provided metadata is prefixed and suffixed with "__", though id is an exception. The reference docs discuss this (currently updating the example to include id), though I understand these docs are a little harder to find.
I'd recommend:
service cloud.firestore {
match /databases/{database}/documents {
match /newsletter/{email}/{allDocuments==**} {
allow read: if user.auth != null;
service cloud.firestore {
match /databases/{database}/documents {
match /newsletter/{allDocuments==**} {
allow read: if user.auth != null;
The issue with the latter is that *any* document write would be allowed: including to paths like /newsletter/foo/maliciousContent/sam...@killerdomain.com.
Thanks,
--Mike
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/7ad679cc-491c-4895-9416-64ada09ea48d%40googlegroups.com.
Tomasz Iniewicz
Mar 15, 2018, 11:34:41 PM3/15/18
to Firebase Google Group
Ok I got it to work like so:
service cloud.firestore { match /databases/{database}/documents { match /newsletter/{email} { allow read: if request.auth != null; allow write: if email == 'pe...@gabriel.com'; } }}
Reply all
Reply to author
Forward
0 new messages