Skip to main content

System Functions

Security Rules come with a built-in set of system-level functions. These functions provide powerful common capabilities, enabling developers to directly invoke them within rule expressions to achieve more flexible resource access permission control.

get

Static Function

Syntax: get(path)

Returns: document object

Feature: Obtains document content based on the specified path.

Parameters

ParameterTypeDescription
pathstringA non-empty string in the format database.collection_name.document_id. It can be computed in multiple ways, for example, using string templates for concatenation: `database.${doc.collection}.${doc._id}`

Return Value

  • If the document does not exist, returns undefined or null
  • If the document exists, returns a document object containing the document data

Usage Example

Example 1: User permissions are stored in a separate document, using numerical values to represent permission scopes

{
  "read": "get('database.test.123')[auth.uid] in [1,2,3]",
  "delete": "get('database.permissions.user_rights')[auth.uid] == 1 && doc.user in ['user1','user2']"
}

Example 2: Cross-collection permission verification - Collection A contains shopId, orderId association relationships, Collection B contains owner, shopId association relationships, restricting users to only query authorized store orders.

{
  "read": "auth.openid in get(`database.B.${doc.shopId}`).owner"
}

Usage Limits

  1. When the get parameter contains a doc variable, this variable must appear in the query condition using == or in. If the in method is used, only a single value is allowed for in, that is, doc.shopId in array and array.length == 1
  2. A single expression can use up to 3 get functions and can access up to 10 different documents.
  3. The get function supports a maximum nesting depth of 2, that is, it can be used in the form get(get(path)), but not with deeper nesting.

Performance Description

Each call to the get function incurs a database read operation:

  • When no variables are used: each get results in one read operation
  • When variables are used: each get results in one read operation for each variable value

For example: The rule get(`database.collection.${doc._id}`).test triggers five read operations when querying _.or([{_id:1},{_id:2},{_id:3},{_id:4},{_id:5}]).

The system optimizes caching for reads of the same document and same field. Where possible, security rules will merge reads of different fields in the same document to obtain multiple fields in a single operation, reducing database resource consumption. The merging efficiency depends on the complexity and writing style of the rules.