Multiple get() conditions in Firebase security rules do not work as expected.

Asked 1 years ago, Updated 1 years ago, 39 views

The Cloud Firestore security rules are set as follows:

service cloud.firestore{
  match/databases/{database}/documents{
    match/collectionA/{someID} {
         function checkA(){
            return get(/databases/$(database)/documents/collectionA/$(someID)/users/$(request.auth.uid)) .data.deleteFlag!=true
         }
         function checkB(){
            return get(/databases/$(database)/documents/collectionB/$(request.auth.uid)/companies/$(someID)) .data.deleteFlag!=true
         }
         allow read, write —if checkA()||checkB()
    }
  }
}

The database has the following image configuration:

Database

I set up the simulator as follows and ran it.

simulation type:get
Location: collectionA/companyA
providers:password
Firebase UID: aAzUlfztdYdEIXT3Tva73kCiuy93

The function checkA() should be false and the function checkB() should be true, so I expected access to it, but it said, "Data access through simulation was not allowed."

Also, if you call the function alone, the function checkA() returned false and the function checkB() returned true.

I thought it was wrong to make it into a function, so I wrote the condition directly to allow read, write:, but I was not allowed access as above.

Also, when I tried to change the function checkB() to another conditional expression that returns the following true, I think it is not possible to specify OR because access is allowed.

function checkB(){
  return request.auth.uid!=null
}

If anyone knows what's wrong, could you please point it out?
Thank you for your cooperation.

firebase

2022-09-30 19:18

2 Answers

Under this rule and DB conditions

  • /databases/$(database)/documents/collectionA/$(someID)/users/$(request.auth.uid)
  • /databases/$(database)/documents/collectionB/$(request.auth.uid)

It appears that the DocumentID (userID) pointed to does not match.As far as the attached screenshot shows, the former is r9Myn4TfzAVpSZGzyaet and the latter is aAzUlfztdYdEIXT3Tva73kCiuy93, so I think I can get it if it matches.Rather than saying the rules are strange, the DB structure (document ID) to be simulated appears to be flawed.

2022-09-30 19:18

There was information that the simulator rarely works properly, so I actually threw a query just in case and found the intended result, so I thought it might be a simulator bug, but when I contacted Developer Platform Support, they replied as follows...

The get function gets an error when it tries to get a value for an object that does not exist.
If an error occurs during the condition determination process, the security rules do not apply.

A request to apply a security rule when any deleteFlag associated with user data present in each collection is false is difficult because the security rule specification does not have a function to control objects that do not currently exist.
As a workaround, the above rules are applied after retaining the data so that UID data exists in collectionA and collectionB respectively.

2022-09-30 19:18

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

522 Who developed the "avformat-59.dll" that comes with FFmpeg?

928 In Java servlet, when SHA-256 sends WW-Authenticate header for digest authentication, the client does not return the result.

515 PHP ssh2_scp_send fails to send files as intended

519 Unable to install versioned in Google Colab

495 No exact matches in call to instance method 'append'

© 2024 OneMinuteCode. All rights reserved.