I'm creating a Flutter Todo app that allow users to add a task for himself or he could send it to another user via their account email.
My Firebase database have the following fields: title, isChecked, recipient, sender, senderUID
My current Firebase security rules are as following
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isOwnerOrAdmin(reminder, auth) {
let isOwner = auth.token.email == reminder.recipient;
let isAdmin = auth.token.isAdmin == true;
return isOwner || isAdmin;
}
match /reminders/{reminder} {
allow create: if
// User is author
request.auth.uid == request.resource.data.senderUID;
allow update:
// User is recipient or admin
if isOwnerOrAdmin(resource.data, request.auth) &&
// only 'title' and 'isChecked' could be modified
request.resource.data.diff(resource.data).unchangedKeys().hasAll([
"recipient",
"sender",
"senderUID"
]);
// Can be read or deleted by recipent or admin
allow read, delete: if isOwnerOrAdmin(resource.data, request.auth);
}
In my code, I'm using the following code to make updates to a task,
var collection = _firestore.collection('reminders');
var snapshot = await collection.where('title', isEqualTo: task.title).where('recipient', isEqualTo: loggedInUser.email.toString()).get();
await snapshot.docs.first.reference.update({'isChecked': task.isChecked});
Similarly, the following code is used to delete a task
var collection = _firestore.collection('reminders');
var snapshot = await collection.where('title', isEqualTo: task.title).where('recipient', isEqualTo: loggedInUser.email.toString()).get();
await snapshot.docs.first.reference.delete();
Update and Delete do not work with my new set of rules with the INSUFFICIENT PERMISSION in the output, what did I do wrong? I could only create new doccument, but can't update or delete it (via code).
from Firebase security rules checks for the incoming request and database collection email
No comments:
Post a Comment