Firestore Cloud rules in order to share a nested document and sub contents to another user without sharing the parent/same level docs

I need help with firestore rules for a Flutter app i'm trying to create.

How the app should work in short: any registered user (unregistered cannot access) can populate his/her workspace with some records stored as well as sub collections and possibly share some nested documents for reading + the user with shared access can add docs in a nested subcollection.

What i did:

  • At registration time I have stored the "userinfo" from firebase auth (userId, email, name) in another collection called "usrdata" in order to have them available in firestore, so I have userdata/userId1email and that document has 2 fields "name" and "userId" stored

  • On a separated collection, "users", I have the user's workspace: as live case, the worst nested document for a single user would be like users/userId1/collection1/docId1/subcollection1/subdocId1/nestedcollection/nesteddocId1

  • Any registered user have full control of his workspace (the owned collections within his userID path) and could add/edit/delete anything in his "path", so for example userId1 could read/write/update/delete "collection1", add a new "collection2", add/delete/update "docs" and "fields" within any collections, subcollections, nestedcollections and so on.

  • by knowing the email address of another registered user, any user could "share" the fields and the subcollections but just starting from the "subdocId1" level node and the user with share access should not access to other same level documents or parent collections.

And here comes the trouble as I am not be able to set the rules of firestore properly and at that point I'm not even sure that's a right approach, but that's what i'm trying to do:

When userId1 wants to share the "subdocId1" to userId2, I add the email address of the user with share access into another collection named "sharedinfo" within "subdocId1" so "sharedinfo" just contains the documents named as the email address of the users granted to see "subdocId1", like this:


I'm stuck since 3 days and I cannot find a solution for managing the Firestore rules for that Scenario.

userId2 MUST be able to:

  • read (no create/update/delete) the fields stored in users/userId1/collection1/docId1/subcollection1/subdocId1
  • read (no update/delete) all the available "nesteddocs" within then "nestedcollection" (nested in "subdocId1")
  • create a new "nesteddoc" at that "nestedcollection" level

userId2 must NOT see backwards any collections and docs of userId1, so:

  • cannot access any other "subdoc" like for example "subdocId2" in "subcollection1" (unless userId1 granted access to "subdocId2"
  • cannot access "subcollection1" (or any other subcollection at same level) fields
  • cannot access "docId1" (or any other doc at same level)/fields
  • cannot access "collection1" (or any other collection at same level) fields
  • cannot access "userId1" (or any other user except userId2) fields

if userId1 removes the "useriId2email" from "sharedinfo" in "subdocId1" then userId2 loses the view.

if anyone might help on designing the Firestore rules for that Scenario, much appreciated

if there's a better "design" for that Scenario, please let me know

Thanks in advance!

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum