I can't understand why I get permission denied error for below code.

    stream = FirebaseFirestore.instance
        .collection('events')
        .doc(widget.event.id)
        .collection('invitations')
        .snapshots();

    match /events/{eventId} {
      match /invitations/{email} {
        allow read: if
            request.auth.token.email == email ||
            request.auth.token.email == get(/databases/$(database)/documents/events/$(eventId)).data.user_id;
      }
    }

I can't understand why I get permission denied error for below code.

    stream = FirebaseFirestore.instance
        .collection('events')
        .doc(widget.event.id)
        .collection('invitations')
        .snapshots();

    match /events/{eventId} {
      match /invitations/{email} {
        allow read: if
            request.auth.token.email == email ||
            request.auth.token.email == get(/databases/$(database)/documents/events/$(eventId)).data.user_id;
      }
    }

• flutter
• firebase
• google-cloud-firestore
• firebase-security

Share Improve this question Follow edited Mar 10 at 17:01 Frank van Puffelen 601k8585 gold badges890890 silver badges860860 bronze badges Recognized by Google Cloud Collective asked Mar 10 at 15:43 supercrissysupercrissy 1344 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

Your query is demanding all of the documents in a subcollection called "invitations", but your rules for that collection require that the query can only request individual documents whose ID is equal to request.auth.token.email or a field in a different document.

Firebase security rules are not filters (you should read this documentation and understand what it's saying). Rules will not look at each document and figure out which ones the user may find. The rules require that the query request only the specific documents that are allowed by the rule, which means you code should only get() a single document that meets the rules requirements.