Firebase Firestore - security rule based on “where” query parameters

Question

I\'m trying to secure requests to a collection to allow any single get, but to allow list only if a specific key is matched.

Database structure

Answer 1

There's currently no way, using security rules, to check if a field is being used in query. The only thing you can do is verify that a document field is being used as a filter using only values you allow.

Instead, consider duplicating enough data into another collection organized like this:

user-posts      (collection)
  {uid}         (document using UID as document ID)
     posts      (subcollection)
       {postId} (documents using post ID as document ID)

This will require the client to call out a UID to query in order to get all the posts associated with that user. You can store as much information about the post documents as you like, for the purpose of satisfying the query.

Duplicating data like this is common in NoSQL databases. You might even want to make this your new default structure if you don't want your users to query across all posts at any given moment. Note that a collection group query naming the "posts" subcollection would still query across all posts for all users, so you'd have to make sure your security rules are set up so that this is enabled only when you allow it to happen.

Also note that UIDs are typically not hidden from users, especially if your web site is collaborative in nature, and you combine multiple users' data on a single page.