5

EDIT: After viewing the answer at https://stackoverflow.com/a/44876864/6792075, I still don't know why it should be necessary to double escape the period, with '\\.', especially because the documentation clearly shows that '\.' is the expected syntax (see my second example, below). The answer also references the first example ('.*\..*'), but modified with a double-escape ('.*\\..*'), but I believe this would still fail for reasons I describe below.

I'm trying to split the string memberUIDs.some_ID_here on the period character, but there are some discrepancies between the Firestore security rules docs and the syntax allowed in the rules editor.

The security rules provides a .split() method for strings: https://firebase.google.com/docs/firestore/reference/security/#split:

// Allow documents named "user.*" to be uploaded
match /{document} {
  allow write: if user.split('.*\..*')[0] == 'user'
}

There is also an example in the docs showing a split on the period character, with a different regex:

// Allow read if a document has the string 'user' in it
match /{document} {
  allow read: if 'user' in document.split('\.');
}

The first issue is with the first example. If you actually use this regex, it matches the entire string, which will not allow you to split on the period character; it takes the whole string as the delimiter, resulting in an array of two empty strings.

The second issue is with the second example. This regular expression should work correctly, and it works in tests with online regex editors; however, the rules editor throws a syntax error on this regex when used in the split() function. In fact, if you try to use the string '\.' anywhere, the editor throws a syntax error.

Right now, I am using '\\.' as my regex, which does not trigger a syntax error in the editor, but I do not think this is functioning correctly:

match /groups/{groupID} {
    allow write: if (
        request.writeFields[0].split('\\.')[0] == 'memberUIDs' &&
        request.writeFields[0].split('\\.')[1] == request.auth.uid
    )
}

It seems like either the documentation is wrong, the editor's syntax checker isn't working properly, or I'm fundamentally misunderstanding something about how the security rules work.

Here is a screenshot of the syntax error occurring:

Here is a screenshot of the syntax error occurring

Chris Bobbe
  • 111
  • 10
  • refer. https://github.com/google/re2/wiki/Syntax – rijin Apr 26 '18 at 17:45
  • Normally, `'\.'` and `'\\.'` will parse into the same `\.` on any editor. Some editors though, do a stupid thing and require the escaped character to be something they recognize. Where \ is forced to be escaped if a literal (both single and double quotes), the `.` may not have that luxury. The fopa may be in the error message, what does it say ? –  Apr 26 '18 at 21:42
  • I just added a screenshot with the syntax error. It also won't let me save the security rules, so they can't take effect. – Chris Bobbe Apr 26 '18 at 22:00
  • Maybe this is only a problem in the syntax highlighting lib and not in the source code? – powtac Oct 19 '18 at 13:48

0 Answers0