I am trying to configure firestore rules so that a user can only access information in a collection in a secondary database, when that collection's path contains an id stored in the (default) database.
The default database contains the following document:
users/abcd:
{
companyId: 'efgh'
}
If I configure my rules in the secondary database to be:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function getUserCompany() {
return get(/databases/(default)/documents/users/$(request.auth.uid)).data.companyId;
}
match /co/{cid}/{documents=**} {
allow read, write: if getUserCompany() == cid
}
}
}
Then authenticate with uid abcd, then
getDoc('/co/efgh/some/document')
on the secondary database fails with FirebaseError: Missing or insufficient permissions.
If I test this call using the Rules Playground, it succeeds.
If I use that same rule set on the (default) database, then make the same getDoc() call on the (default) database, it succeeds.
It's only failing when the user is authenticated via the javascript firebase client (10.4.0) and accessing the secondary database.
Should rules like this work across databases?
heard back from GCP support on this:
Unfortunately, Cross-DB get() requests are not currently supported, and there isn't a workaround to make it work at this time.
Bummer. :(