Error with advanced Security Rules in Firestore

Hello FlutterFlow Community,

I’m working on setting up solid Firestore Rules for my new company web app. While FlutterFlow may not be ideal for web apps, I’m using it for a Proof of Concept (POC). Nevertheless, it’s crucial that the rules are solid. I started by setting up the rules within FlutterFlow, and then I enhanced those rules manually in the Firestore Rules Console.

Currently, I’m stuck on the rule for creating user documents. In my company platform, each company operates in its own ecosystem, with no interaction between different companies or their users. Users cannot create accounts themselves; they must first be created by an admin within the app. After creation, users can log in on their own. Each user document includes a reference to the company they belong to, and each company document has a users_list field that stores user document IDs (not references, just their ID as a string).

What I’m Trying to Achieve:

A user should only be allowed to create another user if the creating user is listed in the users_list of the company that is referenced in the companyid field of the user being created. Additionally, the creating user must have their is_admin field set to true.

Since I’ve been encountering errors, I’ve temporarily commented out the entire rule and am now trying to fix it line by line. This post focuses specifically on the rule that checks whether the creating user is listed in the users_list of the companyid of the user being created.

The rule that I believe should work is as follows:

allow create: if request.auth.uid != null &&

request.auth.uid in get(/databases/$(database)/documents/$(request.resource.data.companyid.path)).data.users_list;

However, this rule results in the following error:

Error running simulation – Error: simulator.rules line [75], column [73]. Service call error. Function: [get], Argument: [path_value { segments { simple: "databases" } segments { simple: "(default)" } segments { simple: "documents" } segments { simple: "<my_company_id>" } } ]. (viewing outdated simulation)

I then simplified the rule to this:

allow create: if request.auth.uid != null &&

exists(/databases/$(database)/documents/$(request.resource.data.companyid.path));

Interestingly, this rule worked yesterday, but today it doesn’t. Now, I get the following error:

Error running simulation – Error: simulator.rules line [74], column [52]. Function not found error: Name: [exists].

I came across a GitHub issue related to the first error message, but it was for using cross-service security rules with the emulator (a different context). That issue was related to Firestore documents containing null values. Although this might not be relevant to my situation, I deleted all null fields in the referenced companies document, but the issue persists.

I’ve attached some screenshots of how my “create” simulation request looks like.

Any help or guidance would be greatly appreciated. Thanks in advance!