I'm trying to use Firestore rules to return only documents where the current user has some sort of rights, following the advice given in https://firebase.google.com/docs/firestore/solutions/role-based-access.
However, when I implement the rule I get the dreaded "[code=permission-denied]: Missing or insufficient permissions" error message which obviously tells me nothing, I was wondering if anyone can spot what is going wrong.
My rules:
//Specific project rules - authorised users who appear in the project list
match /documents/{document} {
function isSignedIn() {
return request.auth.uid != null;
}
function getUser(rsc) {
return rsc.data.users[request.auth.uid];
}
function isOneOfUsers(rsc, array) {
return isSignedIn() && (getUser(rsc) in array);
}
allow list: if isOneOfUsers(resource, ['user','admin']);
The data stores the users information in a field on the document (12345 in the example below. The field is of type Object which allows me to put a key (the userid, 76544 in the example below) and a value against it, such as "admin".
My data:
documents/12345/users{76544:"admin"}
Now when I log on and try to get a list of the documents, I'm expecting to see this document coming back, but I get the error. I can change the function getUser to return "user" and that works, so the problem is somewhere in the evaluation of
rsc.data.users[request.auth.uid]
I would normally accept that I'm trying something that can't be done but it is a near direct copy of the official docs so I must be missing something!
Thanks in advance for your help
Here's what I think is going on: LIST is explicitly not checking every document that it is picking up, rules are not filters etc.
When writing queries to retrieve documents, keep in mind that security
rules are not filters—queries are all or nothing. To save you time and
resources, Cloud Firestore evaluates a query against its potential
result set instead of the actual field values for all of your
documents. If a query could potentially return documents that the
client does not have permission to read, the entire request fails.
Therefore, LIST will always return the full list of /documents/, there is nothing you can write in there beyond authorisation rules that will stop it from returning all of them. If this is true, if any malicious actor gets hold of an authentication, they can download the full list of all of your /documents/.
The only sensible approach to this is to lock down any attempt to use LIST (deny all) and keep your list accessible /documents/ against an individual user instead. This seems onerous, but may be the only way of doing it.
Related
Hello, I have a problem I created a Registration form and im trying to check if there is any user which have a certain username inside the Firebase Db. I tried to get the reference of all the users.
var users = Database.database().reference("users")
But I don't know how I could check if there is any user with a specified username.
You'll want to use a query for that. Something like:
let query = users.queryOrdered(byChild: "username").equalTo("two")
Then execute the query and check whether the result snapshot exists.
Note though that you won't be able to guarantee uniqueness in this way. If multiple users perform the check at the same time, they may both end up claiming the same user name.
To guarantee a unique user name, you will need to store the user names as the key - as keys are by definition unique within their parent node. For more on this, see some of these top search results and possibly also from here.
I have a document where each invited user has a field (their request.auth.uid), with a number value representing their access level.
I want users to be able to delete their user field from the document, but not be able to increase the level of their field.
The code to remove their own user field is simply:
documentReference.update(myUserId, FieldValue.delete());
I can delete the field fine, but I can't figure out how to write a rule to allow for this (and not other updates to the field) in Firestore Security.
I've tried rules like:
allow update: if (request.resource.data[request.auth.uid] < resource.data[request.auth.uid]);
and
allow update: if !(request.resource.data[request.auth.uid] > 0);
but they lead to errors (I'm guessing because the field no longer exists).
Something to note: the rules above will still work when I'm updating the user field value from the original value to a lower (non-delete) value, and
allow update: if request.auth.uid in request.writeFields;
still returns true when using FieldValue.delete(), so it's not an issue with the user id.
One workaround for this instance is this:
allow update: if (request.resource.data.size() == resource.data.size() - 1)
&& request.writeFields.size() == 1
&& request.auth.uid in request.writeFields
&& !(request.auth.uid in request.resource.data);
based on the comment found here: Firestore Security - allow only known fields
One of the advantage of Github Search v4 (GraphQL) over v3 is that it can selectively pick the fields that we want, instead of always getting them all. However, the problem I'm facing now is how to get certain fields.
I tried the online help but it is more convolution to me than helpful. Till now, I'm still unable to find the fields for size, score and open issues for the returned repository(ies).
That's why I'm wondering if there is a way to get them all, like Select * in SQL. Thx.
GraphQL requires that when requesting a field that you also request a selection set for that field (one or more fields belonging to that field's type), unless the field resolves to a scalar like a string or number. That means unfortunately there is no syntax for "get all available fields" -- you always have to specify the fields you want the server to return.
Outside of perusing the docs, there's two additional ways you can get a better picture of the fields that are available. One is the GraphQL API Explorer, which lets you try out queries in real time. It's just a GraphiQL interface, which means when you're composing the query, you can trigger the autocomplete feature by pressing Shift+Space or Alt+Space to see a list of available fields.
If you want to look up the fields for a specific type, you can also just ask GraphQL :)
query{
__type(name:"Repository") {
fields {
name
description
type {
kind
name
description
}
args {
name
description
type {
kind
name
description
}
defaultValue
}
}
}
}
Short Answer: No, by design.
GraphQL was designed to have the client explicitly define the data required, leading to one of the primary benefits of GraphQL, which is preventing over fetching.
Technically you can use GraphQL fragments somewhere in your application for every field type, but if you don't know which fields you are trying to get it wouldn't help you.
I have two users accessing the same object. If userA saves without first fetching the object to refresh their version, data that userB has already successfully saved would be overwritten. Is there any way(perhaps cloud code?) to access and update one, and only one, data value of a PFObject?
I was thinking about pushing the save out to the cloud, refreshing the object once it gets there, updating the value in the cloud, and then saving it back. However that's a pain and still not without it's faults.
This seems easy enough, but to me was more difficult than it should have been. Intuitively, you should be able to filter out the fields you don't want in beforeSave. Indeed, this was the advice given in several posts on Parse.com. In my experience though, it would actually treat the filtering as deletions.
My goal was a bit different - I was trying to filter out a few fields and not only save a few fields, but translating to your context, you could try querying the existing matching record, and override the new object. You can't abort via response.failure(), and I don't know what would happen if you immediately save the existing record with the field of interest and null out the request.object property - you could experiment on your own with that:
Parse.Cloud.beforeSave("Foo", function(request, response) {
// check for master key if client is not end user etc (and option you may not need)
if (!request.master) {
var query = new Parse.Query("Foo");
query.get(request.object.id).then(function(existing) {
exiting.set("some_field", request.object.get("some_field"));
request.object = exiting; // haven't tried this, otherwise, set all fields from existing to new
response.success();
}, function(error) {
response.success();
});
}
});
I am using the Facebook Ads API to try to filter out specific action target ids using the follwowing call:
(account-id)/reportstats?date_preset=yesterday&data_columns=["action_target_name","adgroup_id","adgroup_name","spend","actions","adgroup_objective"]&actions_group_by=["action_target_id", "action_destination"]&filters=[{"field": "action_target_id","type": "contains","value": 'insert id'}]
Every time I try to put in a specific ID, I get an empty data set back. Whenever I change the type to "not_contains", I get every piece of data returned. I've also tried the same with action_destination, but it keeps saying value needs to be numeric even though it a string.
It definitely seems like you can filter by action_target_id because when I tried to filter by something random, it told me that filter doesn't exist.
Can anyone help me please?
Unfortunately these values are nested under the actions fields of the results and filters only work on top level field values.