I am using Firebase Cloud Firestore, and I want to modify my rules to restrict users from querying a collection.
This should not be allowed:
firestore().collection("users").get()
But this should be allowed:
firestore().collection("users").doc("someUserId").get()
Currently, my rules look like this:
match /users/{userId} {
allow read;
}
but this rule allows the "users" collection to be queried.
How can I allow single document gets, but not collection queries?
You can break read rules into get and list . Rules for get apply to requests for single documents, and rules for list apply to queries and requests for collections ( docs ).
match /users/{userId} {
//signed in users can get individual documents
allow get: if request.auth.uid != null;
//no one can query the collection
allow list: if false;
}
Just allow get
and you'll be good:
match /users/{userId} {
allow get;
}
Give the following a try. I haven't been able to test it, so apologies if I've mistyped something.
match /users/{userId} {
allow read: if $(request.auth.uid) == $(userId);
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.