I'm trying to secure requests to a collection to allow any single get, but only to allow list if a specific key is matched.
Database structure is like this:
projects
project1
name: "Project 1 name"
board_id: "board1"
project2
name: "Project 2 name"
board_id: "board2"
boards
board1
board2
The Firestore query I'm making from Vue:
// Only return projects matching the requested board_id
db
.collection("projects")
.where("board_id", "==", this.board_id)
The security rules I'd like to have would be something like this:
match /projects/{project} {
allow get: if true // this works
allow list: if resource.data.board_id == [** the board_id in the query **]
// OR
allow list: if [** the board_id in the query **] != null
I want to do this so you can list the projects in a specific board, but can't just list everything.
Is there a way to access the requested .where() in the security rules or do I need to nest my projects collection inside my boards collection and secure it that way?
