I am trying to use security rules in order to limit what information about other users is able to see one authenticated user, depending on if these users are in the same department or not. I have about 50 users in Firebase Auth whose ids are correlated with the document id in the users collection (usuarios) in firestore. IN the collection, each document have a parameter called departments which is an array of strings, and it represents the departments the user belongs to. Then my goal is to limit the read access into the users which have any department in common. For this I created that security rule:

match /usuarios/{userId} {

allow read: if request.auth != null && "departments" in get(/databases/$(database)/documents/usuarios/$(request.auth.uid)).data.keys() && "departments" in resource.data.keys() && get(/databases/$(database)/documents/usuarios/$(request.auth.uid)).data.departments.hasAny(resource.data.departments); }

I took two users (for simplicity in the explanation userA and userB, but on the example DLuQJrAy… and DoF7SKfp…) of the collection and I add them the departments field with an array of one value (“department1” in the example) in each, all other document users remain with no departments field. So if I am authenticated with userA and try to read userB I should be allowed. If I use the test rules area inside Firestore it work successfully, but if I do the query from flutter web client I receive “Missing or insufficient permissions”.

That code below is the flutter code in the above example. First I query the same user as I am authenticated so I can get the information on my departments and then I do a query to the whole collection with a where clause to filter those who has any value in the array of my departments.

DocumentSnapshot usuarioSnapshot = await firestore.collection('usuarios')

.doc(FirebaseAuth.instance.currentUser?.uid).get();

Map<String, dynamic> usuarioMap = usuarioSnapshot.data() as Map<String, dynamic>;

QuerySnapshot? usuariosSnapshot;

try { usuariosSnapshot = await firestore.collection('usuarios').where("departments", arrayContainsAny: usuarioMap["departments"]).get(); } catch (e) { debugPrint("Exception: $e"); }

Surprisingly I am receiving well the first call and I can see the departments field with the value [“department1”] but then I got into the catch with the “Missing or insufficient permissions”.

What is even more strange is that if I change my security rule to use directly the value [“department1”] instead of resource.data.departments in the parameter of the array.hasAny() function then the query from flutter client works well and I get only the two users that has the department1 (userA and userB).

match /usuarios/{userId} {

allow read: if request.auth != null && "departments" in get(/databases/$(database)/documents/usuarios/$(request.auth.uid)).data.keys() && "departments" in resource.data.keys() && get(/databases/$(database)/documents/usuarios/$(request.auth.uid)).data.departments.hasAny(["department1"]); }

Seems to me it is not related to the flutter query but to how the security rule is behaving if the query comes from the client or is executed directly from the testing area. Since just changing resource.data.departments to [“department1”] (which is the same, also from the view of the test area) makes it work.

I would appreciate if any one could give me some insights on this because I am pretty sure this have to work, even if someone has ever faced a similar issue and how they have overcome it.

Thanks in advance for your help