I Have Created firebase and flutter app and google is sending me emails saying firebase rules are not good. How do I make those rules better? I want to give permission to login users to read and my account to read and write permission.
I hope that will help you.
service cloud.firestore {
match /databases/{database}/documents {
// Make sure the uid of the requesting user matches name of the user
// document. The wildcard expression {userId} makes the userId variable
// available in rules.
match /users/{userId} {
allow read, update, delete: if request.auth != null && request.auth.uid == userId;
allow create: if request.auth != null;
}
}
}
This is a correct way you can secure database.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Line below secure whole database so users are not alowed to create any new collections etc.
match /{document=**} {
allow read, write: if false;
}
match /app/{dataId} {
allow read: if true;
allow write: if isAdmin();
}
match /posts/{dataId} {
allow read: if resource.data.isPublic == true || isAdmin();
allow write: if isAdmin();
}
}
}
function isAdmin() {
return request.auth.token.admin == true;
}
Users don't have any .admin variables. You have to assign them using firebase functions. Read about custom claims.
Related
Can someone please help me I am a complete noob to FireStore and FireBase and am trying to do something simple and FireBase is saying I do not have permission to do it? I am using Flutter. I have the following rules set up in FireBase rules console. I only have one project and one firestore database.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow write: if request.auth != null;
allow read: if true;
}
}
}
I have a collection of users setup which has a uid as the collection parameter and running the following code after signing into flutter anonymously which does not throw an error. UserID is set to a valid value.
void createUser(String userID, String userName, String password) async {
final CollectionReference _users =
FirebaseFirestore.instance.collection("Users");
final data = {"Created": DateTime.now(), "LastLoggedIn": DateTime.now()};
_users.doc(userID).set(data, SetOptions(merge: true));
}
I am getting the following error message
10.3.0 - [FirebaseFirestore][I-FST000001] Write at Users/QUIEvBpJeAgprgEan0S736aKjdk2 failed: Missing or insufficient permissions.
I am using anonymous log ons
even when I use the following rules which is supposed to allow all reading and writing of the data I get the same error:
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
I allowed several minutes to go by between when I set the permissions and before testing. Thanks.
Have you tried the default rule with timestamp :
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if
request.time < timestamp.date(2023, 11, 25);
}
}
}
Facing an issue in setting up access rules. So till now we have been storing user data as <user_id>/. And the basic rule as this has been working fine
// Grants a user access to a node matching their user ID
service firebase.storage {
match /b/{bucket}/o {
// Files look like: "<UID>/path/to/file.txt"
match /{userId}/{allPaths=**} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}
}
}
But now i want a user to be able to store a file under any {userId} as long as he is the owner of the file.
I am doing that by setting the owner metadata attribute when trying to write the file and updating the access rules.
Updated access rules
// Grants a user access to a node matching their user ID
service firebase.storage {
match /b/{bucket}/o {
// Files look like: "<UID>/path/to/file.txt"
match /{userId}/{allPaths=**} {
allow read, write: if request.auth != null
&& (request.auth.uid == userId || resource.metadata.owner == request.auth.uid);
}
}
}
I have verified that the metadata is being set correctly by uploading the file to the user’s own path. But when i try to write under some other user’s path, i am getting access denied
See the screenshot of the metadata info of the file i am trying to upload
Finally found the issue.
I didn't read the documentation carefully. When writing a file, in order to check the metadata of the incoming file, we have to use request.resource. So the write rule had to be request.resouce.metadata.owner
Updated rule that works
// Grants a user access to a node matching their user ID
service firebase.storage {
match /b/{bucket}/o {
// Files look like: "<UID>/path/to/file.txt"
match /{userId}/{allPaths=**} {
allow read: if request.auth != null
&& (request.auth.uid == userId || resource.metadata.owner == request.auth.uid);
allow write: if request.auth != null
&& (request.auth.uid == userId || request.resource.metadata.owner == request.auth.uid);
}
}
}
Question:
For the different top-level firestore collections below, how to restrict access to all but one of the paths?
We are building a data schema in Firestore to support a chat app for teachers across multiple schools.
The top-level firestore collections include:
/siteAdminUsers
/schools
/schools/{schoolId}/teachers
/schools/{schoolId}/chats
Below is the security rules setup we are trying now - where we check for:
valid user auth
expected value exists in userClaim variable request.auth.token.chatFlatList
However, the read listener for /messages is being blocked.
Error message:
FirebaseError: [code=permission-denied]: Missing or insufficient permissions
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
match /schools/{schoolId}/chats/{discussionId}/messages {
allow write: if false;
allow read: if request.auth != null
&& request.auth.token != null
&& request.auth.token.chatFlatList.val().contains($discussionId);
}
}
Details
We are using cloud functions for all data read/write, so for almost every case we can just block all client access.
The one exception is for the chat discussions, where we need to set a snapshot listener in the mobile client to know when there are new messages.
Sub-collection notes:
At a school, there are discussion sessions for school staff (teachers, admins, etc)
/schools/{schoolId}/chats/{discussionId}
Where each discussion-document contains:
list of participant teacher ids
subcollection for actual messages where each document is an indivual posted message:
/schools/{schoolId}/chats/{discussionId}/messages
User Claim code from Cloud Function
Looking at the cloud function logs, we have verified that the userClaim is being set.
return firebaseAdmin
.auth()
.setCustomUserClaims(
uid, {
chatFlatList: 'id1 id2 id3'
}
);
UPDATE #1
Tried the following variation where rules skip/omit the check on userClaim and auth.token.
However, still same permission error.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
match /schools/{schoolId}/chats/{discussionId}/messages {
allow write: if false;
allow read: if request.auth != null;
}
}
}
I think the issue here is that you are writing a rule on the collection called messages.
All match statements should point to documents, not collections.
https://firebase.google.com/docs/firestore/security/rules-structure
You should try adding /{document=**} after your path to messages, something like:
match /schools/{schoolId}/chats/{discussionId}/messages/{document=**} {
allow write: if false;
allow read: if request.auth != null;
}
This worked for me if I wanted to read and write all collection but not one collection named "backStage";
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{collection}/{document} {
allow read: if true
allow write: if (collection != "backStage");
}
}
}
Here's a solution (seems to be working), which includes the check on chatFlatList user claim variable (from original question) for a substring :
match /schools/{schoolId}/chats/{discussionId}/messages {
allow write: if false;
allow read: if request.auth != null
&& request.auth.token.chatFlatList.matches(discussionId);
}
Figured this out thanks to:
Firebase storage rules based on custom parameters
Here the post shows there is not any $ notation to access the path var. I recall seeing this in a security rules example code example - maybe it's specific to database tiers?
https://firebase.google.com/docs/reference/security/storage/#string
https://regex-golang.appspot.com/assets/html/index.html
Trying some example inputs here, to get an understanding for how to create the regex's.
So, I typically don't have problems writing firestore rules but I'm coming up short on why this simulation fails.
If you don't want to follow the image link:
Rules:
service cloud.firestore {
match /databases/{database} {
match /server_credentials/{document = **} {
allow read, write: if false;
}
match /users/{user_uid} {
allow read, write;
match /signatures/{sig_id} {
allow read: if request.auth.uid != null && resource.data.access == "public";
allow read, write: if request.auth.uid == user_uid;
}
match /identity/{credential} {
allow read, write: if request.auth.uid == user_uid;
}
}
match /signatures/{sig_id} {
allow read, list;
allow write: if false;
}
}
}
Auth details:
Google as provider and foo as the uid.
I'm testing a simple read to users/foo
Any help would be quite nice.
This line is incorrect:
match /databases/{database} {
It should be this:
match /databases/{database}/documents {
This mistake is causing none of your rules to apply at all, and all access is being rejected by default.
I'm currently using Firestore for database and ran in to insufficient permission error. What I don't understand is why isPartner() will work when my path is
users/{uid}
but give me permission error when it's
object/{objectID}
Security Rules
service cloud.firestore {
match /databases/{database}/documents {
match /users/{uid} {
allow read: if isSignedIn();
allow write: if isOwner(uid) || isPartner();
match /object/{objectID} {
allow read, write : if isPartner() || isOwner(uid);
}
function isOwner(userID) {
return request.auth.uid == userID
}
function isPartner() {
return resource.data.partnerUID == request.auth.uid
}
}
}