i am working on a project in flutter with firebase firestore as a database. It has two users Admin and User. Admin has subcollection food_item . is it possible to access the subcollection food_item from the User.
i heard that altering some security rules will help to get access to that subcollection.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write;
}
}
}
So if it is possible through changing rules can anyone help me. If not can you provide me other alternative reliable solutions.
Related
So in firebase I created a database named crud.
Now database rules looks like this,
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
}
}
Now I try to access the API with https://crud-12b8c.firebaseio.com/crud/users.json then I get 404 not found error. What am I doing wrong here? I am new to Firebase btw.
You are mixing up Cloud Firestore and the Firebase Realtime Database. firebaseio.com URLs are for Realtime Databases, but the console screenshot you're showing and the security rules you're displaying are for Firestore.
I'd recommend reading the guides about how to access data using the Firestore SDKs.
Accessing the firebase API is done through the Rest API service of which, you can find the full documentation here: https://firebase.google.com/docs/projects/api/reference/rest
This includes means of accessing Firestore data points directly through web requests:
https://firebase.google.com/docs/firestore/reference/rest/v1/projects.databases.documents/get
For example:
https://firestore.googleapis.com/v1beta1/projects/crud-12b8c/databases/(default)/documents/crud
It does get complicated but this is a great start to using Firebase per your needs.
Can I lock read and write operations from Firestore of client side? I want that only Firebase Cloud Functions can read and write in Firestore.
I was connect directly from client to Firestore but I want now the client can call only with back-end ( To make some condition and security ) server for avoiding hack data
It's quite simple, you have to deny all access as follows:
// Deny read/write access to all users under any conditions
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
}
}
Since Cloud Functions interact with Firestore through the Admin SDK they completely bypass the Security Rules.
My application is a local news application that publishes the news and happenings of my village and nearby surroundings. I want people to read all the news without any authentication and only the app owner or publisher can write the news. So, in this case, I have the following rules:
allow read: if true;
allow write: if request.auth.uid =="My uid"
But when I do this I get this message in my email from Firestore:
Your Cloud Firestore database has insecure rules.
We've detected the following issue(s) with your security rules:
any user can read your entire database
You're not showing the entire rules, but if they look like this:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true;
allow write: if request.auth.uid =="My uid"
}
}
}
Firestore finds that to be insecure because you are applying universal read access to every single document in the entire database. This can lead to unexpected security problems.
Instead, you should call out individual collections that should have read and write access. Don't use the wildcard /{document=**}.
match /collection-name/{id} {
allow read: if true;
allow write: if request.auth.uid =="My uid"
}
I suggest reading the documentation on security rules thoroughly (not just the first page) to learn how they work.
On my android app, I am using Firebase Firestore to store a collection of "usernames" to be queried BEFORE the user signs in to check whether the chosen username is available or not.
Currently my project has 2 main collections: "users" and "usernames". I am trying to allow Read access only in the "usernames" collection. My program fails because when I try to query the "usernames" collection before the user is authenticated it says I don't have the right permissions.
My rules are very basic, but I was wondering if it is possible to modify them in some way for my project to work. Rules are as follows:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}
A visual idea what the firestore database looks like:
If you want to treat the "usernames" collection differently than everything else, call it out by name, and assign full read access to everyone:
match /usernames/{id} {
allow read: if true;
}
I suggest taking some time to study the documentation on security rules to better understand how they work, an learn how to make rules on your own.
I have files I want to make sure to keep secure, once the admin uploads a file into the storage, only he and the user he is sharing the file with has access to the links to download that file. Hence under firestore rules I added the following:
match /users/{userID} {
allow read: if isOwner(userID) || isAdmin();
allow write: if isOwner(userID) || isAdmin();
}
/// FUNCTIONS BELLOW ///
function isAdmin() {
return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.IsAdmin;
}
However when I tried to add the same rules under Firestorage, the access is constantly denied.
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read: if isAdmin();
allow write: if isAdmin();
}
/// FUNCTIONS BELLOW ///
function isAdmin() {
return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.IsAdmin;
}
}
}
Does the Firestorage get method work differently then the Firestore get method?
Any assistance would be much appreciated.
There are no Firestorage Rules, there are actually rules for Cloud Firestore which is the new database from Google, Firebase Storage which is used to store images, audio, video, or other user-generated content and Fireabse realtime database which is also a NoSQL database.
Cloud Firestore Security Rules
Security rules provide access control and data validation in a simple yet expressive format.
Storage Security
Rules
Storage Security Rules are used to determine who has read and write access to files stored in Cloud Storage, as well as how files are structured and what metadata they contain.
Firebase Realtime Database Security Rules
Firebase Realtime Database Rules determine who has read and write access to your database, how your data is structured, and what indexes exist. These rules live on the Firebase servers and are enforced automatically at all times.
Im guessing you are talking about Firebase Cloud Storage and Firestore
The issue with your Cloud Storage rules is that you cannot access the Firestore database. If you need to carry over data to assist with authorising a write you could look at custom claims Which you could access with auth.token.admin === true in your security rules for example that looks at the users auth token for an admin property
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read: if isAdmin();
allow write: if isAdmin();
}
/// FUNCTIONS BELLOW ///
function isAdmin() {
return auth.token.admin === true
}
}
}