0

I'm writing a custom cloud function (official documentation) in Firestore security rules that checks to make sure the submitting user is the content owner, per the official documentation.

I'm applying the custom function to the correct path /collection/{documents}/subcollection/{subcollectiondocuments} where every subcollectiondocument has a userId field that's not null. These documents do not have a uid field, but I tried it anyway in 2 and 4 below.

All versions of the custom function below (belongsToRequestor 1,2,3 and 4) generate a "Property resource is undefined on object" error in the Cloud Firestore rules playground simulator.

Do I need to pass something into the custom function, or am I making some other mistake?

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
  
  function belongsToRequestor1() {
      return
      request.auth.uid == resource.data.userId;
    }


  function belongsToRequestor2() {
      return
      request.auth.uid == resource.data.uid;
    }

  function belongsToRequestor3() {
      return
      request.auth.uid == request.resource.data.userId;
    }

  function belongsToRequestor4() {
      return
      request.auth.uid == request.resource.data.uid;
    }
   
   …
   match /collection/{documents}/subcollection/{subcollectiondocuments} {
    
   allow update: if
      belongsToRequestor1(); 
      // or belongsToRequestor2(); or belongsToRequestor3(); or belongsToRequestor4();

   …

   } }

I'm not sure how to implement this answer to another question to "…enter the path to an actual document that exists if you want to test your rule that uses its field values." Each document in subcollectiondocuments has an id auto-generated by firebase.

Update: adding database screenshot (with fake data), as requested (properties = collection and reviews == subcollection):

screenshot with fake data

Thanks for any help!

Mark Gavagan
  • 878
  • 12
  • 45
  • 1
    Can you share screenshot of your Firestore collections? When you try to update a sub-document, `resource.data` would be an object contain data of the document being updated. I assume the uid, userId fields are present in the document of root collection. If that's the case, then you'll have to use `get()` function to read data from that document. Can you share the screenshots to confirm this? – Dharmaraj May 09 '22 at 14:07
  • So a "review" document can only update the creator only i.e. person with UID same as `userId` field in that review doc itself? Where are UID of requestor1 and 2 coming from? I cannot see any `uid` in any of the documents. – Dharmaraj May 09 '22 at 14:21
  • You're right @Dharmaraj, as I wrote above, "These documents do not have a uid field, but I tried it anyway in 2 and 4 below." Yes, looking to have only the creator be able to update. – Mark Gavagan May 09 '22 at 14:27
  • I saw this answer - https://stackoverflow.com/a/56487579/1459653 - after posting and tried the isMine() code. ```request.auth.uid == request.resource.data.userId``` and ```request.auth.uid == request.resource.data.uid``` resulted in the following error in the security rules simulator: "Property resource is undefined on object" – Mark Gavagan May 09 '22 at 14:36
  • Here is a link to the documentation's ```get()``` function, as @Dharmaraj suggests above: https://firebase.google.com/docs/firestore/security/rules-conditions?authuser=0#access_other_documents Novices like me should note that "…The get() and exists() functions both expect fully specified document paths…" I tried ```request.auth.uid == get(/databases/$(database)/documents/properties/$(property)/reviews/$(review)).data.userId;``` and received an "Invalid variable name: review" error. Even if I can get this working, this may not be a good custom function, since diff paths will be needed… – Mark Gavagan May 09 '22 at 15:58
  • Are you using this match statement as-is? `match /collection/{documents}/subcollection/{subcollectiondocuments}` I tried a concept example using `belongsToRequestor1()` as the function checking for the same `userId` as the request auth id, and it was allowed as expected. It could also be a syntax error. If you can share a full rules file that triggers this error, it could be helpful. – ErnestoC May 10 '22 at 15:55
  • Thanks @Ernesto. I did use that match statement, though with the actual collection & document names instead of "collection", "documents" etc. Sorry, but I'm away for a few days and can't access my code. Best, -M – Mark Gavagan May 10 '22 at 18:58

0 Answers0