Skip to main content

System Functions

Security rules include built-in system-level functions that provide powerful general capabilities to perform operations. Developers can directly call these functions in rule expressions to implement corresponding functionalities, enabling more flexible control over resource access permissions.

get

static

get(path) returns document object

Retrieves the specified doc content based on the parameters.

Parameters

ParameterTypeDescription
pathstringNon-empty. A string in the format database.collection name.document id. The value can be obtained through various computation methods, such as concatenation using string templates (`database.${doc.collection}.${doc._id}`)

Return Value

undefined or null indicates that the doc does not exist; otherwise, it is a document object representing the data retrieved from the query.

Example

  1. User permissions are written in a separate document, using a numerical value to represent the scope of user permissions.
{
  "read": "get('database.test.123')[auth.uid] in [1,2,3]",
  "delete": "get('xxxx')[auth.uid] == 1 && doc.user in ['ersed','sfsdf'] "
}
  1. Collection A contains shopId and orderId relationships, while collection B contains owner and shopId relationships. When querying collection A, the goal is to restrict results to orders from shops for which the current user has permissions.
{
  "read:": "auth.openid in get(`database.B.${doc.shopId}`).owner"
}

Limitations

  1. The variable doc present in the get parameters must appear in the query condition using == or in. If in is used, only a single value is allowed, i.e., doc.shopId in array, array.length == 1
  2. An expression can have up to 3 get functions and can access up to 10 different documents.
  3. The nesting depth of the get function is at most 2, i.e., get(get(path)).

Notes

  1. Without using variables, each get results in one read operation. When using variables, each get and each variable value will result in one read operation. For example, the rule _get(\database.collection.\${doc._id}`).testwould generate 5 read operations when querying.or([{_id:1},{_id:2},{_id:3},{_id:4},{_id:5}])}`. The system caches reads for the same document and same field (where possible, security rules will merge reads for different fields of the same document, fetching multiple fields in a single read to reduce database resource consumption; the degree of merging depends on rule complexity and implementation).