I can't understand why this Firestore security rule fails in web.
I'm using @angular/fire latest with a query on a collection and with firebase latest, but it works in simulation.
service cloud.firestore {
match /databases/{database}/documents {
// Match any document in the 'cities' collection
match /events/{event} {
allow read: if (resource.data.access.code == 'public' || (resource.data.access.code == 'protected' && resource.data.objname.objfield == "A"));
}
}
}
Here's the data:
If access.code is "protected", then we look at objname.objfield == "A". Checking access.code == "protected" lets me access the data, but the second part objname.objfield == "A" doesn't.
I don't understand why. I've made sure this property exists in all objects of the collection. (Firestore security rules based on map values)
I tried several different ways, they all pass in Simulation, because it's a single document query. An actual query at collection level does not go through permissions with the actual web call.
This is the query I'm making, which passes when there's no security rule in place
const pathAccessCode: firebase.firestore.FieldPath = new firebase.firestore.FieldPath('access', 'code');
const eventsUser: AngularFirestoreCollection<any> = this.firestore.collection('events', ref => ref.where(pathAccessCode, '==', 'protected'));
const eventsUser$: Observable<any> = eventsUser.valueChanges();
eventsUser$.subscribe(data => console.log(data) );
As you can see; some properties are recognised by the rule (access.code) but not others (objname.objfield).
The only think I can think of at this stage, is that access.code has been created before I started playing with the rules. objname.objfield however, was created after I started using rules.
Can this be a thing?
Thanks for your help
