Exclusive Reading from the Firestore

[M Mathems]

Hi

I have been stuck on something for some days now and I am beginning to think that the underlying goal isn't possible to achieve with Firestore - even though this idea seems crazy to me.

Generally, I intend to have a collection (collectionA) that will receive 1000s of documents concerning different registered users, and I intend to offer stream-listening to that collection (collectionA) to 1000s of other registered users, however,  I intend for those users listening to collectionA to only be able to read collectionA where field-values within documents of collectionA match field-values within the user-details of those users.  This would mean that exclusive reading should occur.

Setting up Firestore's rules might be where my misunderstanding is arising, as the results I am seeing tend to suggest that once a read-action is allowed regarding collectionA, that every document within collectionA can be read -- and this is why I am beginning to think that my goal is impossible.

Compared to WhatsApp, I imagine Whatsapp having a huge database of users in a single collection, and that documents are only received/readable where field-values within user-details match fields within sent-data - hence why you only receive messages meant for you.

My security rules are set to allow a read of collectionA (theoretically speaking) when the get(/databases/) call checks that field-values within another collection (concerning the listener) match field-values within collectionA, and to test properly, collectionA has alternative field-values.  But the results suggest that once a read of the collectionA has been allowed, that every document within collectionA would be available to every listener.

A possible flaw in my findings could be that my security rules have been set to allow read by unauthorised users on two parent collections above collectionA.  These two parent collections contain no data but it seems that unless granted full reads, that access to collectionA (a sub-collection) is not given.

Snippet

match /users/{userId} {
      // if a rule isn't specified, Firestore denies by default
  allow read;
  }
 
  match /users/{docId}/userA/{docId2} {
  allow read;
  }
 
  match /users/{docId}/userB/{docId2} {
  allow read;
  }
 
  match /users/{docId}/userA/{docId2}/exclusiveA/{docID} {
  allow read: if get(/databases/$(database)/documents/users/{userID}/userB/{userBdocID}/exclusiveB/$(request.auth.uid)).data.uid == request.auth.uid &&
      get(/databases/$(database)/documents/users/{userID}/userB/{userBdocID}/exclusiveB/$(request.auth.uid)).data.currency == resource.data.preferredCurrency;
  }

Please comment, in theory, is my underlying goal something that can be achieved with Firestore please?

With thanks.

[Michael Bleigh]

It seems like you should be able to achieve this using query constraints in your security rules. You could enforce that a given query has appropriate where clauses and that the values of those where clauses match user data.

Hope that helps!

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/bc7e77d1-6227-4f18-bfd5-50bec04da272n%40googlegroups.com.

[M Mathems]

Hi Michael

Thank you for your response.

I'm pleased to hear that the overall goal can be achieved with Firestore - that's the main thing.

What you have explained makes perfect sense, and whilst researching this, I found a client of yours who explained similarly with 'where' clauses fixed to the query or data request -- in my case a stream.

I'll look into both solutions for the easiest and most secure -- to prevent data leaks by right practise is of equal importance with accessing the sought data.

Many thanks