I can't understand why I get permission denied error for below code.
stream = FirebaseFirestore.instance
.collection('events')
.doc(widget.event.id)
.collection('invitations')
.snapshots();
match /events/{eventId} {
match /invitations/{email} {
allow read: if
request.auth.token.email == email ||
request.auth.token.email == get(/databases/$(database)/documents/events/$(eventId)).data.user_id;
}
}
Your query is demanding all of the documents in a subcollection called "invitations", but your rules for that collection require that the query can only request individual documents whose ID is equal to request.auth.token.email or a field in a different document.
Firebase security rules are not filters (you should read this documentation and understand what it's saying). Rules will not look at each document and figure out which ones the user may find. The rules require that the query request only the specific documents that are allowed by the rule, which means you code should only get() a single document that meets the rules requirements.