Firestore rules for document field

Question

I\'m struggling within Firestore to set security rules for a document. With the RTDB is was possible to set rules for a specific object property and I\'m trying to do the sa

Answer 1

You can do this by checking the request.resource.data property. As shown in this section of the documentation. You only need to match the document level. You check the field rules with an if condition.

However, you are unable to control read access to individual fields. A user can either read a whole document or not. If you need to store private data, consider adding this to a sub-collection of the user document.

Here is an example

service cloud.firestore {
  match /databases/{database}/documents {
    // Make sure all cities have a positive population and
    // the name is not changed
    match /cities/{city} {
      allow update: if request.resource.data.population > 0
                    && request.resource.data.name == resource.data.name;
    }
  }
}

Answer 2

Looks like this is now supported:

service cloud.firestore {
  match /databases/{database}/documents {
    // Allow the user to read data if the document has the 'visibility'
    // field set to 'public'
    match /cities/{city} {
      allow read: if resource.data.visibility == 'public';
    }
  }
}

The resource variable refers to the requested document, and resource.data is a map of all of the fields and values stored in the document.

---

To give a concrete example, in my case I needed to provide read access to a group only if the requesting user is in the members field (which is an array) of the groups collection. So I did this:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    function isMember(userId) {
      return (userId in resource.data.members);
    }
    match /groups/{group} {
      allow read: if request.auth != null && isMember(request.auth.uid);
    }
    //...
  }
}