I have a Firestore security rule where removed field can be set to the server time stamp, to mark that a document is de-activated.
I cannot find a way to test this with the Firestore Rules Simulator. It allows me to build a document, but there is no FieldValue to select from:
This feels like a crucial feature omission, since I cannot figure out any other way to test such a rule.
There are several cases that currently can't be simulated in the console. If you have a feature request, you can file that with Firebase support.
The best way to test your security rules is to use the local emulator. This lets you write code to test specific queries against rules, without the need to work with an actual Firestore instance or the console. You should be able to test your rules that way.
Related
I have seen that there is an extension called "delete user data" which simplifies the data deletion process performing hard deletions in order to accomplish with the GDPR policies.
This extension is really cool, and let us config it specifying full path to docs or collections, including storage stuff. But... what if I need to run a query because the user id is not the identifier of the document?
Is it possible to configure the extension to "perform queries"? Is it perfectly normal to run another auth triggered cloud function for deleting query-related docs/fields?
Yes, you can have as many cloud triggered events as you like.
It sounds like, based on the information you've provided that writing a new Cloud Function triggered onDelete would be the best approach.
Is it possible to configure the extension to "perform queries"?
No it is not possible, see this anwser.
I am wondering, I have to allow a user to change only certain parts of a document and I came up with two different solutions:
A: Locking the document with firestore rules and modify parts I am interested in using a https function (checking that the request is coming from document owner)
B: allowing only the owner of the document to make changes (with firestore rules) and trigger a onChange cloud function to check if he/she changed only the things that they are allowed. If not reject the changes
I would like if there is any safer approach or both are valid in the same way. How easy is to trick a https function?
In many cases both approaches are valid and will depend on preference.
People coming from a more traditional client/server environment will generally prefer a Cloud Function. This also allows you to do certain things which are not possible in a rule, for example you can perform any action with full server credentials.
Rules are perhaps more idiomatic for Firebase, and may be cheaper and faster. That said, it is very important to craft any rules very carefully. You may refer to the documentation, which might be relevant in this case.
The suggestion here is to use rules to prevent unwanted changes, rather than allow the owner to make any changes and then undo them in the trigger. If you want to implement logic which can't be done in rules, you might consider allowing the owner to write the changes to some kind of staging area, either separate fields in the same document, or a new pending document, then performing the checks and moving the data to its proper location in their trigger.
I have been struggling for days now trying to get my Firestore security rules to work with basic rules - even ones copied and pasted from the docs. I have tried to spin up the development and test emulator, but it failed due to what appears to be npm conflicts.
I tried to use the rules playground, but it gives me the error that the "get" function is not recognized. I found that this problem has occurred in the past. I could really use some help in figuring out where to start with this. I am considering abandoning the firestore system all together as along with these problems, the system frequently fails to connect.
The full get statement is ...
get(/databases/$(database)/documents/users/$(request.auth.uid)).data.designer ==true
I have tried a number of variations of this with no success.
If this is a problem with the tester, how can I test my queries and figure out where the problems lie. If this is a bigger problem, what do I do?
Update : The read will work if I am querying the users collection as in the query below.
allow read : if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.designer == true
The issue seems to lie in when I need to retrieve docs without knowing the specific ID of the doc in question - getting multiple docs based upon the security rule.
You are testing without a signed in user, which means that the $(request.auth.uid) expression inside your call to get() fails. To make this work you'll need a signed in user.
I am getting very high counts of Entity Writes in my firestore database.
Write permission in most of the paths are restricted, done from back-end server using admin SDK. Only a very few paths have write access- specifically only to the users who are (authenticated & registered & joined and approved in a specific group), so even though the ways to abuse are apparently thin, yet hard to specifically identify.
Only way I see- is to execute Cloud Functions on every write, and have the function log the paths somewhere to analyze. But that introduces further costs and complexity.
Is there any way/recommendation to monitor/profile where (i.e.- path) and who (UID or any identity) are performing the writes? There are tools to do such for RTDB, bu't can't find anything for Firestore.
I am also wondering if there is any way to restrict ip/users automatically in case of abuse (i.e.- high rate of read/write)?
What I'm currently doing is going to firestore console => menu usage => view usage
and I see something like this:
It's not the same as the profiler, but better than nothing.
I'm also keeping an eye on the video on the link below to see if someone provides an answer. People are asking for the profiler too.
https://www.youtube.com/watch?v=9CObBsjk6Tc
I'd like to copy out some data from the iPhone field test mode. Is there any way to do it? I'm using the data for testing, so it's not necessary to require App Store approval.
Since the field test mode is a built-in application that gathers information on the phone and its network, you can't really do anything to interact with it.
The information that the application gathers is likely taken from the private API. If there's specific information you're tying to get, I would ask a more specific question here on stackoverflow about it.