I have taken over a project which has the following data model in firestore:
/Chat/{chatId}/messages/{messageId}
/Chat/{chatId}
{
users: ["24","51"]
messages: [ //collection
{message:"...", sender: 24, time:"...", users: ["24","51"]},
]
}
Through flutter I'm reading the chat via:
StreamBuilder<QuerySnapshot>(
stream: FirebaseFirestore.instance
.collection("Chat")
.doc(chatID.toString())
.collection("messages")
.orderBy("time", descending: false)
.snapshots(),
I need to ensure that only the two users that is involved in the chat is allowed to read the messages, but have a hard time doing so.
My current rules look like this:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /Chat/{chatId}{
allow read: if "24" in resource.data.users //24 is being replaced with request.auth.uid when it works
allow write
match /messages/{messageId}{
allow read: if "24" in resource.data.users //24 is being replaced with request.auth.uid when it works
allow write
}
}
}
}
With the above, I'm getting a permission error when trying to list the chats through flutter, it gives the error:
Chat/1103/messages failed: Missing or insufficient permissions.
How do I write a rule where it's only the the two users that is able to read and write to the messages?
Security rules do not filter data. Instead they merely ensure that your code does not try to read more data than it's authorized for.
Since your rules say that the code can only read messages that the user is a collaborator on, your code should also limit its reading to such messages. So: add a condition to your query:
where('users', whereArrayContains: 'uidOfCurrentUser')
With that additional condition the rules can see that you're not trying to read more data than allowed.
Related
I've been trying to get the Firestore rules to play nice for a while now and every time I think I get them right, another portion stops working for some reason.
I'm trying to have some simple rules, if you made the document that document and any child documents or collections, you can create, edit and delete them. I thought this was pretty simple but alas I keep getting permission denied errors.
Rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read, update, delete: if request.auth != null && request.auth.uid == userId;
allow create: if request.auth != null;
}
match /users/{userId}/{document=**} {
allow read, update, delete: if request.auth != null && request.auth.uid == userId;
allow create: if request.auth != null;
}
}
}
When doing just the match /users/{userId} I was able at one time able to create user documents but I couldn't create child documents or colletions.
When doing just the match /users/{userId}/{document=**} I could no longer create users but any existing users I could add child documents and collections and do everything expected.
This combination of both rules doesn't seem to work either.
I keep getting [cloud_firestore/permission-denied] The caller does not have permission to execute the specified operation. when I try to create a user with this statement:
await FirebaseFirestore.instance.collection('users').doc(googleUser.uid).set(
{
'created': now,
'lastLogin': now,
'name': name,
'email': email,
},
);
Now nothing works. I deleted all my authentication accounts and my Firestore data and wanted to start over but it simply will not create the data in Firestore.
Any suggestions would be greatly appreciated as I'm going in circles and nothing is working anymore which is extremely frustrating as it did at one point but no longer does.
edit All of my testing is being done on a real Android phone.
After walking away from my computer and thinking more, I figured out what it was. My App Check debug token changed somehow.
Once I added the new value from the debug console everything started working again.
I'll leave this answer here in case this saves anyone else some headaches in the future!
Edit: Additionally, ones App Check debug token will change anytime you clear storage on your app on the device. Which is why mine was changing.
I created a rule in Cloud Firestore to read/write based on wether the user is signed in through Firebase Auth or not.
From my understanding based on what I read in the official documentation, the following code should allow the signed in user the correspodent permissions to the userID document inside the data collection.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/document {
match/data/{userId}{
allow read, write: if isSignedIn();
}
}
function isSignedIn(){
return request.auth != null;
}
}
Database image:
The idea is that after the user logs in, the code I wrote should verify if there is a document called ReservedID in data/userID/ReservedID, and if there isn't, create one for him, however, this collection is never created.
It does work if I remove the security rules.
Image of the error that shows in Android Studio:
However, after signing in using mAuth.signInWithEmailAndPassword, the user still can't write or read from the database. The Android Studio Logcat provides this message:
PERMISSION_DENIED: Missing or insufficient permissions.
Did I misunderstood how to properly set these rules in my database? Or could it have something to do with the code itself?
It looks like there are some issues with the code.
The match statement should specify the path to the collection and whole documents, rather than just one document. i.e you are using the path for single document match /databases/{database}/document instead of below path:
match /databases/{database}/documents {
match/data/{userId}{
}
With the above changes, the code will look like this:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match/data/{userId}{
allow read, write: if isSignedIn();
}
}
function isSignedIn() {
return request.auth != null;
}
}
You can verify this on playground
I have some rules like:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /teams/{teamId} {
allow read, write, delete, list:
if debug(teamId) in debug(request.auth.token.teams)
allow create:
if true;
}
}
}
I am using claims to control access. Each user has an array of teams in their token. That part is working fine.
Basically, teamId (coming from the path) doesn't exist. Nothing is printed in the log for this variable. I can't figure out whats going on. Is there some different way to access that teamId variable?
by doing some logs, it seems that for accessing /teams/teamXXXX I'm getting multiple rule hits. First on /database/default/documents/teams and then again on /database/default/documents/teams/teamXXX The first rule pass is failing because {teamId} is not defined on that path. I need to somehow allow access to the collection while limiting access to the child documents
It looks like the way I'm accessing teams may be causing a problem. I'm getting teams by doing a query like:
instance.collection("teams").where('owners',
arrayContains: FirebaseAuth.instance.currentUser!.uid);
This must be triggering the rule check where no {teamId} in the path. I thought about wrapping my match statement like:
match /teams/{document=**}
allow read:
if (request.auth.uid != "")
match /teams/{teamId} {
allow read, write, delete, list:
if debug(teamId) in debug(request.auth.token.teams)
allow create:
if true;
}
}
I'm worried that this will just allow all documents. I'm stuck.
answering my own question.
When doing a search / list on a collection, it still matches the rule of /teams/{teamId} even though you are not specifically querying by teamId.
Meaning a search like instance.collections("teams").where(...) will still match /teams/{teamId}
In the match, {teamId} will be blank. Instead, you must look at the input paramters coming in via the "resource" variable. The items you have in the "where" clauses will appear in the resource variable. You must use the resource data to resolve your rules.
So I had to separate the "list" rule form the rest of the rules.
I'm testing permission for accessing user A's document from login user B.
User B already saved uid_A on it's path /userData/uid_B/subscriber/uid_A.
In this situation, I'd like to access A's document by checking subscriber in Firestore rule.
service cloud.firestore {
..
match /databases/{database}/documents {
match /userData/{uid}/{document=**} {
allow create, read, update, delete: if exists(/databases/{database}/documents/userData/$(request.auth.uid)/subscriber/$(uid));
}
}
}
But following Flutter code fails with this message:
6.33.0 - [Firebase/Firestore][I-FST000001] Listen for query at userData/uid_A failed: Missing or insufficient permissions.
await db.collection('userData').doc('uid_A').get();
The reason user B want's to access user A's document is to add uid_B as user A's provider, so user A can easily list up his accessible documents on screen.
I wonder what's causing this issue and how to resolve this kind of problem.
Thanks for advance.
Your syntax for the document to check with exists() isn't correct. The full path includes more, as shown in the documentation:
exists(/databases/$(database)/documents/userData/$(request.auth.uid)/subscriber/$(uid));
I need some help making my security rules for firestore work.
These are my firestore rules:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
function isAdmin(uid) {
return (uid in get(/admin/administrators).data.uid)
}
allow read;
allow write: if request.auth.uid != null && isAdmin(request.auth.uid);
}
}
}
In document /admin/administrators there is a field named uid containing an array of UIDs of administrators which are allowed to write in the database.
After I logged in as one such administrator and tried to add a document to another collection. (Specifically, the call in my Angular application using Angularfire 2 is this.afStore.collection(collection).add({});) I received the error Error: Missing or insufficient permissions.
Any help appreciated (including "there's obviously a better way to do this")
You should enter the absolute path of the collection you're trying to reference. Change the (uid in get(/admin/administrators).data.uid) to get(/databases/$(database)/documents/admin/$(request.auth.uid)).data.uid