2

I have notification records where there is a text and a list of users(max 10). 

{text: "The community is here to help you", users: [ uid1, uid2, uid3, ... ]}

When a user read/acknowledge the notification, I want to remove him from the array of users who can see the notification (then he won't get any anymore).

For that, when the user press the "hide notification button", he send a request to update the notification record with:

users: FieldValue.arrayRemove(uid)

I want to enfore with security rules that the user:

  • Doesn't change other part of the notification record.
  • Send its uid and only its uid in the arrayRemove part.

Tried with 

allow update: if 
    request.auth.uid != null 
    && request.auth.uid in resource.data.users 
    && request.resource.size() == 1 
    && request.resource.data.users != null;
  • The request.resource.size == 1 doesn't work. Can't figure out why as I have only one field in my request.
  • I have no way to ensure the arrayRemove is strictly limited to its uid.

Also, I found this post on Google forums (2 years old): https://groups.google.com/forum/#!topic/google-cloud-firestore-discuss/L58q18JxqlI

I've tried this for arrayUnion, and it's working allow update: if request.auth.uid in request.resource.data.users; but not for arrayRemove.

I'm trying this for arrayRemove, but no luck: allow update: if resource.data.users[request.auth.uid] != null;

Any hint, help, idea well appreciated.

Néstor
  • 416
  • 4
  • 10
  • Related issue: https://stackoverflow.com/questions/54764457/firebase-security-rules-ensure-one-array-remove-only-and-only-to-userid – Néstor May 07 '20 at 12:56
  • Related issue: https://stackoverflow.com/questions/61528403/see-array-changes-in-firestore-security – Néstor May 07 '20 at 13:12
  • Look into using the MapDiff API to determine what exactly is being changed in a document. https://firebase.google.com/docs/reference/rules/rules.MapDiff – Doug Stevenson May 07 '20 at 15:54
  • The crux of the matter is to create a security rule using the current structure of the database (and therefore that of the App code), not to completely change this structure from an Array to a Map, which would entail not only modifying the entire structure of the database, if not also rewrite some of the code and logic of the App. It doesn't seem like a viable solution, but thanks. – Néstor May 07 '20 at 18:20
  • I'm not suggesting changing anything in the data. I'm suggesting using the linked APIs to understand what is changing when the rule runs, and decide whether or not to allow it. – Doug Stevenson May 07 '20 at 18:43

0 Answers0