As for security rules of Firebase Realtime Database, both public and private data can exist in the same tree using such as the following rule.
However, when using Firestore, it doesn't seem to enable us to do the same because the chuck of data we can retrieve is only under collection or document.
When public and private data is defined in the same document and getting data w/ collection/document, we'd get error of insufficient permissions as for private data if we are not the owner.
When using RTDB, we can get data of 'users/{userId}/publicInfo' because we don't have any idea of collection/document.
Are there any way to do this of RTDB with Firestore? Otherwise, we should have public/private collection separately?
// rule of Firebase Realtime Database
"users": {
"$user_id": {
".read": "auth.uid === $user_id",
".write": "auth.uid === $user_id",
"private": {
".read": "auth.uid === $user_id" // --- private data
}
"public": {
".read": "auth !== null"; // --- public data
}
}
}
// Firestore
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
match /{private=**} {
allow read, write: if request.auth == userId;
}
match /{public=**} {
allow read, write: if request.auth != null;
}
}
}
}
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…