Firebase popular rules not working with the updated Firebase - firebase

I'm trying to use the most popular/common firebase rule of
{ "rules": { ".read": true, ".write": true } }
Every time I put it in, I get the error of
"mismatched input '{' expecting {'function', 'import', 'service', 'rules_version'}"
My current rule is
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}

What you're trying to enter are security rules for the Realtime Database, but you're trying to enter them for Cloud Firestore, which is another database. While both databases are part of Firebase, they're completely separate, and the security rules for one don't apply to the other.
To fix the error, you will have to set the rules for Cloud Firestore, as shown here and here.

Related

Your project's Cloud Firestore database '(default)' has insecure rules

Why am I getting this error? I have pasted my rules below. I have implemented these rules for both storage and cloud firestore.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if request.auth != null;
allow write: if false;
}
}
}
These are automated alerts by firebase. IMHO sometimes they are false positives. In this case, they deemed it insecure because
any logged-in user can read your entire database
If this is the intended behavior you can safely ignore this alert. Otherwise, create more precise rules for each collection/document.

Firebase Flutter : Cloud Firestore database has insecure rules

Firebase keep telling me
We've detected the following issue(s) with your security rules:
any user can read your entire database
I have changed the rules but that rules doesn’t work in my app because all user can read from db and only authenticate user can write to db.
Firebase says that write and read should be performed until we login. But in my case every user can read and only login user can write.
Any ideas how to solve this ? or I'm I doing it wrong ?
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read;
allow write: if request.auth != null;
}
}
}
Can you set your read to false explicitly?
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if false;
allow write: if request.auth != null;
}
}
}
That should do it. Let me know if it persists.
The root cause is that even though you are allowing only authenticated users to read or write but they have access to the whole database as mentioned in the Google Cloud Firestore Documentation. That also means any authenticated user can write anything in your database.
If you database has a separate document for each user, I would suggest using the following rules which allows users to write/read their own data only.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read, write: if request.auth.uid === userId;
}
}
}

How to configure the rules of a Firebase project to be safe?

Hi I have the Firebase project, and when I create the databases, I create some rules for testing.
Now, they expire, and they close my project.
It is my first time working with Firebase projects, and I have no experience. I show you how I have defined the rules for both Cloud Firestore and the Realtime Database.
The project is an application in which users can register and leave their comments.
How should I set the rules for my databases to be secure?
How should I write my rules code?
I was absent from my project for a few days and they wrote to me from Google, which closes my project in two days. I have looked for information, but I do not know how to create the rules so that they are correct and my project also works
I EDIT MY QUESTION to add details
In my application I only want registered users to be able to write comments.
The alert that Firebase shows me is the following:
"Its security rules are defined as public, so anyone can steal, modify or delete data from its database."
The databases are empty, so there are no records yet.
Can you help me? Firebase will close my project if I don't write the rules right, the rules shouldn't be public.
I read the documentation that Firebase offers, but I don't really understand how to create my rules.
They show something like this, for authenticated users:
// Allow read/write access on all documents to any user signed in to the application
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}
And on the other hand they show these rules:
**// Allow read/write access to all users under any conditions
// Warning: **NEVER** use this rule set in production; it allows
// anyone to overwrite your entire database.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}**
I don't know which one I should use exactly, and how I should write them, so that in my React Native app users can leave feedback.
Can you help me ?
I show the code of the rules of my databases
//REALTIME DATABASE
{
"rules": {
".read": true,
".write": true
}
}
//CLOUD FIRESTORE
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// This rule allows anyone with your database reference to view, edit,
// and delete all data in your Firestore database. It is useful for getting
// started, but it is configured to expire after 30 days because it
// leaves your app open to attackers. At that time, all client
// requests to your Firestore database will be denied.
//
// Make sure to write security rules for your app before that time, or else
// all client requests to your Firestore database will be denied until you Update
// your rules
match /{document=**} {
allow read, write: if request.time < timestamp.date(2020, 9, 2);
}
}
}
You can use the following rule where only authenticated users can write and read to the database.
For Cloud Firestore:
// Allow read/write access on all documents to any user signed in to the application
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}
For Realtime Database:
// Only authenticated users can access/write data
{
“rules”: {
“.read”: “auth != null”,
“.write”: “auth != null”
}
}
Speaking through experience, there are two main ways of securing your data:
Set a field in the document such as "userID" and only allow CRUD when the auth.uid value matches this field.
Use the collection-document-collection nature of cloud firestore and write a rule where you allow a user to CRUD all of their own collection. E.g.
match /users/{userID}{
allow read: if request.auth.uid ==userID;
allow write: if request.auth.uid == userID;
match /userDocs/{docID}{
allow read: if request.auth.uid == userID;
allow write: if request.auth.uid == userID;
}
}
Ideally you need to allow only authenticated users to access resource. From you code above
{
"rules": {
".read": true,
".write": true
}
}
The above will allow anybody to read and write to the database even to unauthenticated users.
for firestore as you can see the rules state that it should only allow full priviledge read and write to cloud firestore if only the date has not passed (2020,9,2)
VISIT the link To learn more about firebase database rules
and visit
to learn about firestore rules
You can use firebase authentication for your users then if they are authenticated they can access the database.

Permission_denied to access firebase datastore

I am trying to get access to my firebase data to run a little test. I have setup an app in the firebase console and set the access rules to:
// Allow read/write access to all users under any conditions
// Warning: **NEVER** use this rule set in production; it allows
// anyone to overwrite your entire database.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
Nevertheless I am always getting the following error:
angular.js:14328 Error: permission_denied at /messages: Client doesn't have permission to access the desired data.
at this line of code:
var ref = firebase.database().ref().child('messages');
What I am I missing?
Those rules are for firestore and not firebase-realtime database.
In the console go to the database section and click on the dropdown then choose RealTime database:
For the realtime database change your rules to this:
{
"rules": {
".read": true,
".write": true
}
}
and then perform the tests.

Cloud Firestore Security Rules allow write only from Firebase function

I'd really like to be able to secure my firestore db by allowing only firebase functions to write to the specific collection... how would I go about doing that? Looking at there documentation I do not find anything that might state how you could do that. For instance, I am looking for something like:
service cloud.firestore {
match /databases/{database}/documents {
// Match any document in the 'cities' collection
match /cities/{city} {
allow read;
allow write: if <from firebase function>;
}
}
}
Cloud Functions for Firebase code generally accesses other Firebase products using the Firebase Admin SDK. The Admin SDK will have full read and write access to Firestore, no matter how the permissions are set. You can neither explicitly allow nor deny access to the Admin SDK, which means you also can't explicitly allow nor deny access to Cloud Functions.
If you just want your backend to read and write some part of your database but none of your mobile client apps, simply reject access to all clients entirely, and let the Admin SDK do its work.
service cloud.firestore {
match /databases/{database}/documents {
// Match any document in the 'cities' collection
match /cities/{city} {
allow read: if false;
allow write: if false;
}
}
}
So, I use this rule:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if false;
allow write: if false;
}
}
}
It's based on the above answer.
It just disallows access from any client app, except the Admin SDK.
As of Feb 2021 you can just declare
{
"rules": {
".read": false,
".write": false
}
}

Resources