Question

0

59

Views

How safely show publicly UID of firestore sub-collection

I have the following firestore db structure (image 1). I want (unauthenticated) users of my web app to be able to see each plumber public profile which contains reviews (image 2) they get from the won jobs. My question is how could i safely expose UID of each user who has made one of those reviews. Hopefully my question makes sense.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }
}

db structure the ui i want to archive

7 months ago · Juan Pablo Isaza

1 answers

Answer question

0

Answer question

Find remote jobs

Accepted Answer · 2022-07-13T04:54:24.824Z

If you want to allow users to read/write their own user document and allow anyone to read their reviews, try these rules:

rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, update: if request.auth.uid == userId;
      
      match /reviews/{reviewId} {
        allow read: if true;
        allow write: if request.auth.uid == resource.data.userId
      }
    }
  }
}

Here only the poster of review and write (update/delete) it and any unauthenticated users can read them. However they cannot access the User document.

You can read more about security rules in the documentation.