6

EDIT: Seems to be an open issue in Firestore. Also see this post.

In Google Cloud Firestore, I want to model a collection of groups. Each group contains a name, the list of it's users and some secretGroupData. For me, the natural way to do this would be:

/groups
    /group1 {
        name: "Group 1"
        users: { //object can be queried, simple array not
          "user1": true,
          "user5": true
        }
        secretGroupData: ...
      }
    /group2 { ... }

Given a user like user1, I want to query all groups he is member of. This query works fine:

groupsRef.where("users.user1", "==", true)

However, I want to secure the group data. This query only works, when all groups are readable for all users. When I protect the group to be readable only by the group members, by the rule

match /groups/{groupId} {
    allow read: if resource.data.users[request.auth.uid] == true;
}

the above query does not work any more, because as soon as it sees a group where the current user is not a member of, read access is denied and the whole query fails.

What is the best solution for this problem in Firestore? Should I

  1. tell Firestore to return only the allowed groups and ignore the other ones, instead of throwing an error? If so, how can I achieve this?
  2. make the groups readable for all users and move the secretGroupData into subcollections, where I can then restrict the access to just the group members
  3. add redundancy by adding the IDs of all groups of a user into the user's profile document (/users/user1/groupIds: ["group1"]), so I know the groups beforehand and can query them by ID
  4. use a totally different solution?

Thank you very much for your ideas.

Andi
  • 3,234
  • 4
  • 32
  • 37
  • Possible duplicate of [What's the difference between Cloud Firestore and the Firebase Realtime Database?](https://stackoverflow.com/questions/46549766/whats-the-difference-between-cloud-firestore-and-the-firebase-realtime-database) – Mike McDonald Oct 12 '17 at 16:33
  • Why? I think I have asked a precise question how to deal with that kind of modeling in Firestore. I did not ask how it can be solved with the Firebase realtime database. – Andi Oct 12 '17 at 16:37
  • 1
    But shouldn't this work exactly as it should with each user being able to request their own groups? Or do you want users to be able to query what groups another user is part of? – Scarygami Oct 12 '17 at 16:57
  • Of course in reality it gets more complex; but for this question I just want to restrict the read access for each group to its group members (as far as possible) without any write access at all. A user should not be able to query the groups he is not member of (as far as possible). – Andi Oct 12 '17 at 17:01
  • 1
    @Andi Firebase-r here. We're taking a look at this question, it should work exactly as you wrote it! So either we're missing something in your code or we've found a bug in our rules validation. – Sam Stern Oct 12 '17 at 17:01
  • @hatboysam My database and query is as simple as described in the above post, so it should be easy to reproduce. I get the FirebaseError "Missing or insufficient permissions" from AngularFire2. Thank you for having a look at this issue. – Andi Oct 12 '17 at 17:14
  • 2
    Sorry, I think I linked the wrong question to mark as a dupe, it should be: https://stackoverflow.com/questions/46667912/firestore-read-rules-with-self-condition We're pretty sure it's a bug in how we handle constraining queries (why a single get works, but a query fails), and we're working to address it. – Mike McDonald Oct 12 '17 at 17:30
  • @MikeMcDonald is there some form of bug/issue tracker one can subscribe to to get an update on this? This seems like a rather important use feature for building secure web / mobile applications. – Geotob Nov 23 '17 at 07:38
  • Unfortunately not (something we're working on), though I can confirm this particular bug (nested fields being exposed) is fixed. – Mike McDonald Nov 27 '17 at 05:17

0 Answers0