Firestore Cloud rules in order to share a nested document and sub contents to another user without sharing the parent/same level docs
I need help with firestore rules for a Flutter app i'm trying to create.
How the app should work in short: any registered user (unregistered cannot access) can populate his/her workspace with some records stored as well as sub collections and possibly share some nested documents for reading + the user with shared access can add docs in a nested subcollection.
What i did:
At registration time I have stored the "userinfo" from firebase auth (userId, email, name) in another collection called "usrdata" in order to have them available in firestore, so I have userdata/userId1email and that document has 2 fields "name" and "userId" stored
On a separated collection, "users", I have the user's workspace: as live case, the worst nested document for a single user would be like users/userId1/collection1/docId1/subcollection1/subdocId1/nestedcollection/nesteddocId1
Any registered user have full control of his workspace (the owned collections within his userID path) and could add/edit/delete anything in his "path", so for example userId1 could read/write/update/delete "collection1", add a new "collection2", add/delete/update "docs" and "fields" within any collections, subcollections, nestedcollections and so on.
by knowing the email address of another registered user, any user could "share" the fields and the subcollections but just starting from the "subdocId1" level node and the user with share access should not access to other same level documents or parent collections.
And here comes the trouble as I am not be able to set the rules of firestore properly and at that point I'm not even sure that's a right approach, but that's what i'm trying to do:
When userId1 wants to share the "subdocId1" to userId2, I add the email address of the user with share access into another collection named "sharedinfo" within "subdocId1" so "sharedinfo" just contains the documents named as the email address of the users granted to see "subdocId1", like this:
I'm stuck since 3 days and I cannot find a solution for managing the Firestore rules for that Scenario.
userId2 MUST be able to:
- read (no create/update/delete) the fields stored in users/userId1/collection1/docId1/subcollection1/subdocId1
- read (no update/delete) all the available "nesteddocs" within then "nestedcollection" (nested in "subdocId1")
- create a new "nesteddoc" at that "nestedcollection" level
userId2 must NOT see backwards any collections and docs of userId1, so:
- cannot access any other "subdoc" like for example "subdocId2" in "subcollection1" (unless userId1 granted access to "subdocId2"
- cannot access "subcollection1" (or any other subcollection at same level) fields
- cannot access "docId1" (or any other doc at same level)/fields
- cannot access "collection1" (or any other collection at same level) fields
- cannot access "userId1" (or any other user except userId2) fields
if userId1 removes the "useriId2email" from "sharedinfo" in "subdocId1" then userId2 loses the view.
if anyone might help on designing the Firestore rules for that Scenario, much appreciated
if there's a better "design" for that Scenario, please let me know
Thanks in advance!