Firestore Security Rule blocking request that should be allowed - firebase

I played around with my Security Rules a little bit today and now I cannot create any more (chat)rooms when cliking the corresponding button in my app. I even put the security rules back to allowing all read and write requests, but still it does not work anymore. Any advice?
> rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
// every user can only read his own data
allow write: if request.auth != null && userId.matches(request.auth.uid);
allow read;
// add part to allow access if uid equals admiin uid
}
match /rooms/{roomId=**} {
allow write, read;
}
}
}

Related

How can give access to read but not write in firebase firestore settting rules

This is what I have in my rules setup but it does not allow me to view fetched data from firestore unless I'm logged in.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /Photos/{PhotoID}/{document=**} {
allow read, write: if request.auth.uid != null
}
}
}
The request.auth.uid != null will return false if a user requesting data is not logged in with Firebase Authentication. If you want anyone to to fetch data then the rule should be allow read: if true;.
I'm not sure about your use case here but it's best to allow users to read/write their own data only. For that you'll need to store their UID somewhere in the document.
Then rules in your questions apply for Photos collection and all of it's sub-collection as you are using a recursive wildcard.
You may visit there docs here
Basics of firebase security rules
In addition to #Dharmaraj answer:
The code you provided above helps you check if user is logged in, if logged in then it allows both read and write operation else disallows/denies the operation.
Then if you want a free access to your database such that it will not check whether logged in or not , remove the if condition and only end the command with semicolon[;],
But be careful because if you allow both read and write access without checking if user is authenticated or not, then you endanger your data to the entire world.
To allow only read access:
rules_version = '2';
service cloud.firestore {match /databases/{database}/documents
{
match/Photos/{PhotoID}/{document=**} {
allow read:if true;
allow write: if false;
}
}
}
To allow only write access:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match
/Photos/{PhotoID}/{document=**} {
allow read: if false;
allow write:if true;
}
}
}

Firebase Flutter : Cloud Firestore database has insecure rules

Firebase keep telling me
We've detected the following issue(s) with your security rules:
any user can read your entire database
I have changed the rules but that rules doesn’t work in my app because all user can read from db and only authenticate user can write to db.
Firebase says that write and read should be performed until we login. But in my case every user can read and only login user can write.
Any ideas how to solve this ? or I'm I doing it wrong ?
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read;
allow write: if request.auth != null;
}
}
}
Can you set your read to false explicitly?
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if false;
allow write: if request.auth != null;
}
}
}
That should do it. Let me know if it persists.
The root cause is that even though you are allowing only authenticated users to read or write but they have access to the whole database as mentioned in the Google Cloud Firestore Documentation. That also means any authenticated user can write anything in your database.
If you database has a separate document for each user, I would suggest using the following rules which allows users to write/read their own data only.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read, write: if request.auth.uid === userId;
}
}
}

Firestore Security Rule for users with their own collection

What would be the best Firestore rules when users should only be able to read and write their own collections, i.e. the collection name is the same as the userId? Currently I have the following which works, but is it secure enough?
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{userId}/{document=**} {
allow read, write: if request.auth.uid != null;
}
}
}
I also tried the following which didn't work.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{userId}/{document=**} {
allow read, write: if request.auth.uid == userId;
}
}
}
The first rule is indeed not sufficient, since there is no check on the collection name: any authenticated user can read all the collections named with any users' uid.
The second one should work for your requirements ("Users should only be able to read and write their own collections, i.e. the collection name is the same as the userId"). You are probably having an error somewhere else, e.g. with the code for writing or reading or for authenticating the user. You should share this code in order we double check it

Should I use Firebase anonymous login to secure my data? [duplicate]

I'm developing an app that doesn't require logging in because there isn't any user-specific data. My original plan was to just make my entire database be read only. However, upon doing some research, I found that those security rules would leave my database very vulnerable. My new plan is to implement anonymous authentication for each new user that opens my app and then delete that user once they exit my app. The security rule would be just to allow reading if the user is authenticated. Is this enough to prevent someone from using abusing queries to my database?
Generally, No.
Solely using anonymous authentication adds a hurdle to accessing your database and will protect it from simple read queries as if your database was fully open, but you should combine that with security rules that limit the queries that can be performed.
Assuming we are starting with these barebone rules:
// Allow read access on all documents to any user signed in to the application,
// and write access to only administrators
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if request.auth.uid != null;
allow write: if request.auth.token.isAdmin === true;
}
}
}
To tighten up your rules, you should first remove the wildcard entry and replace them with fixed document paths.
// Allow read access on all documents at /posts/{postId} to any user signed in to the application,
// and write access to only administrators
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /posts/{postId} {
allow read: if request.auth.uid != null;
allow write: if request.auth.token.isAdmin === true;
}
}
}
or even
// Allow read access on all documents at /posts/{postId} to any user signed in to the application,
// and write access to only administrators
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /posts/{postId} {
allow read: if request.auth.uid != null;
allow write: if request.auth.token.isAdmin === true;
// allow same permissions on subcollections of /posts/{postId}
match /{document=**} {
allow read: if request.auth.uid != null;
allow write: if request.auth.token.isAdmin === true;
}
}
}
}
Next you should consider adding rules that limit the size of queries performed against your database using the granular security rule list as described in Securely query data of the Firebase Documentation.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /posts/{postid} {
// Deny any query not limited to 10 or fewer documents
allow list: if request.auth != null
&& request.query.limit <= 10;
// Anyone can retrieve an individual post
allow get: if request.auth != null;
// Only an admin can write to posts
allow write: if request.auth.token.isAdmin === true;
}
}
}
Depending on how frequently the data is updated, you may also consider storing data bundles on Firebase Storage or you could even serve the data from Firebase Hosting where they can be served by a CDN instead of your application.

Different security rules for different Firestore collections

I'm currently using Firestore for the first time and trying to understand the security rules a bit. I now my question is really simple and that I could figure out an answer by doing a bit more research but I wanted to be sure that I am doing the right thing, so I thought it would be better to just ask here.
If I had two collections in Firestore one called "A" and the other "B" what would my security rules have to be if I wanted just authenticated users to read, write, update, delete... in A and everyone to read in B but just authenticated users to write, update, delete... in B.
Edit:
Here are the current rules they apply the rules for B to all collections:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true;
allow write: if request.auth.uid != null;
}
}
}
If you look at the documentation on authentication in security rules, you will find these rules:
service cloud.firestore {
match /databases/{database}/documents {
// Allow the user to access documents in the "cities" collection
// only if they are authenticated.
match /cities/{city} {
allow read, write: if request.auth.uid != null;
}
}
}
Modified for your use-case, that'd be something like:
service cloud.firestore {
match /databases/{database}/documents {
match /A/{id} {
allow read, write: if request.auth.uid != null;
}
match /B/{id} {
allow read;
allow write: if request.auth.uid != null;
}
}
}

Resources