System Functions
Security rules include built-in system-level functions that provide powerful general capabilities to perform operations. Developers can directly call these functions in rule expressions to implement corresponding functionalities, enabling more flexible control over resource access permissions.
get
static
get(path) returns document object
Retrieves the specified doc content based on the parameters.
Parameters
Parameter | Type | Description |
---|---|---|
path | string | Non-empty. A string in the format database.collection name.document id . The value can be obtained through various computation methods, such as concatenation using string templates (`database.${doc.collection}.${doc._id}`) |
Return Value
undefined or null indicates that the doc does not exist; otherwise, it is a document object representing the data retrieved from the query.
Example
- User permissions are written in a separate document, using a numerical value to represent the scope of user permissions.
{
"read": "get('database.test.123')[auth.uid] in [1,2,3]",
"delete": "get('xxxx')[auth.uid] == 1 && doc.user in ['ersed','sfsdf'] "
}
- Collection A contains shopId and orderId relationships, while collection B contains owner and shopId relationships. When querying collection A, the goal is to restrict results to orders from shops for which the current user has permissions.
{
"read:": "auth.openid in get(`database.B.${doc.shopId}`).owner"
}
Limitations
- The variable doc present in the get parameters must appear in the query condition using == or in. If in is used, only a single value is allowed, i.e., doc.shopId in array, array.length == 1
- An expression can have up to
3
get
functions and can access up to10
different documents. - The nesting depth of the get function is at most 2, i.e.,
get(get(path))
.
Notes
- Without using variables, each
get
results in one read operation. When using variables, eachget
and each variable value will result in one read operation. For example, the rule_get(\
database.collection.\${doc._id}`).testwould generate 5 read operations when querying
.or([{_id:1},{_id:2},{_id:3},{_id:4},{_id:5}])}`. The system caches reads for the same document and same field (where possible, security rules will merge reads for different fields of the same document, fetching multiple fields in a single read to reduce database resource consumption; the degree of merging depends on rule complexity and implementation).