Permissions with where clause on data field

I want the capacity for a user to read and delete records on Firebase created by someone they invited to create records.

Created records have a field ‘resource.data.ownerUid’, with ownerId being the uid for the user that invited others to create records.

If I try something like:

allow read, delete: if request.auth.uid == resource.data.ownerUid;

But I get permission refused at the ‘get’ step of:

firestore.collection('screeningResponses')
  .where('screeningId', '==', screeningId)
  .get()

results in

FirebaseError: Missing or insufficient permissions.

At that point I was planning on iterating through the QuerySnapshot and deleting the records, but can’t get that far. Any suggestions?

8 thoughts on “Permissions with where clause on data field”

  1. Firebase security rules don’t filter data on their own. Instead they merely check whether the read operation is allowed according to the rules.

    For this reason your query will have to replicate what the rules require. Since your rules require that the user is the owner of the data they read, the query must do the same:

    firestore.collection('screeningResponses')
      .where('ownerUid', '==', firebase.auth().currentUser.uid) // 👈 this is new
      .where('screeningId', '==', screeningId)
      .get()
    
    Reply

Leave a Comment