The 2nd and 3rd rule in the below code work as expected. I'm trying to specify the access conditions for the mailingList collection to allow anyone to write. However, this is always blocking.
service cloud.firestore {
match /databases/{database}/documents {
match /malingList/{doc} {
allow write: if true;
}
match /metadata/{doc} {
allow read: if request.auth.uid != null;
}
match /taken/{doc}{
allow read: if request.auth.uid != null;
allow read,write: if
request.auth.uid == doc;
}
}
}
It seems that you have a typo:
Rules => match /malingList/{doc} {} without i between a and l
but you want to write to the mailingList collection.
Related
I am using the first version of Firestore security rules:
rules_version = '1';
Also, I have the following rule:
service cloud.firestore {
match /databases/{database}/documents {
match /chats/{chatId} {
allow read: if <condition1>
allow write: if false;
match /messages/{document=**} {
allow read: if <condition2>
// allow write: if false;
}
}
}
}
As you can see, I have commented the write operation. Is the chat doc's write operation rule being passed to the match of messages documents? Do I need to explicitly write the condition for the write operation in the nested match? If not, if the write rule is not explicitly declared... will it be false by default?
Update
I have read here that
Security rules apply only at the matched path
so, we have to explicitly define the rules for the nested stuff... but, in the case of write: if false, if it is not declared, will it be false by default?
If you comment some rule, it won't work. Rules works like in CSS for example. The last rule matters most. Here is a small example how you should secure dataase:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// {document=**} is equal to all collections and documents in whole database.
// including nested ones, so use it wise.
match /{document=**} {
allow read, write: if false;
}
// Above i restrict access to whole database but here users
// can do something in bookings collection.
// They can make documents in this collection but cannot
// make nested collections because of rule above.
match /bookings/{docId} {
allow read: if resource.data.uid == request.auth.uid || isAdmin()
allow update: if resource.data.uid == request.auth.uid || isAdmin()
allow create: if request.auth != null
}
match /app/{document} {
allow read: if true;
allow write: if false;
}
}
}
function isAdmin() {
return request.auth.token.admin == true;
}
I have a collection structure like this.
products {
123456 : {
stock_qty : (Number)
}
}
I want to validate stock quantity to be positive. I have applied following firebase security rule.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if request.auth.uid != null;
allow write: if request.auth.uid != null;
}
match /products/{document=**}{
allow write: if request.resource.data.stock_qty > 0;
}
}
}
But Still I am able to add products with negative stock_qty.
what I am doing wrong here?
You need to remove this part of your rules:
match /{document=**} {
allow read: if request.auth.uid != null;
allow write: if request.auth.uid != null;
}
This allows all authenticated users to read and write your entire database, regardless of any other rules you have defined.
If any rule gives access to a document, another rule cannot revoke that access.
If you have other queries for other collections that must be protected, you will need rules for those other collections as well.
I have the following rules in my Firestore database. But I still keep getting a notification from Firestore that the rules I set in my database are not secure. Please see the codes below. Any suggestions or recommendations to make the database more secure?
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true;
allow write: if userIsAdmin();
}
match /Basket/{Basket} {
allow read, update, delete: if userOwnPost();
allow create: if request.auth.uid != null;
}
match /AllOrders/{AllOrders} {
allow read, create, update: if userOwnPost();
}
match /Items/{Items} {
allow update: if userOwnPost();
}
match /Voucher/{Voucher} {
allow update: if userOwnPost();
}
match /User/{User} {
allow read, update: if userOwnPost();
allow create: if request.auth.uid != null;
}
function userIsAdmin() {
return getUserData().userRole == 'Admin';
}
function getUserData() {
return get(/databases/$(database)/documents/User/$(request.auth.uid)).data;
}
function userOwnPost() {
return getUserData().objectId == request.auth.uid;
}
}
}
You have some overlapping match statements in your rules:
With
match /{document=**} {
allow read: if true;
allow write: if userIsAdmin();
}
you allow read access on all documents in your Firestore database.
As explained in the doc (section "Overlapping match statements"), "in the case where multiple allow expressions match a request, the access is allowed if any of the conditions is true".
So all your other security rules are just overlapped by this one.
So I am assuming that my firebase rules are insecure :
I need second thoughts on it
below I set rules like:
Anyone can read and create(register)
Registered users can read messages
Registered users can create messages
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /usernames/{usernames} {
allow read;
allow create;
}
match /users/{users} {
allow read;
allow create;
}
match /messages/{messages} {
allow read;
allow create : if request.auth.uid != null;
}
}
}
Anyone can read and create(register)
match /users/{users} {
allow read, write: if true;
}
Registered users can read messages (and No one can write it)
match /users/{users} {
allow read: if request.auth.uid != null;
allow write: if false;
}
Registered users can create messages (and No one can read it)
match /messages/{messages} {
allow create: if request.auth.uid != null;
allow read: if false;
}
My Firestore database creates a new Collection whenever a new user Signs Up to my app. The name of the Collection is the username of the new user. I wanted to make the documents inside this collection to have restricted write access.
service cloud.firestore {
match /databases/{database}/documents {
match /User1/{info} {
allow read: if signedIn();
allow write: if isOwner(User1);
}
function signedIn() {
return request.auth != null;
}
function isOwner(userId) {
return request.auth.uid == userId;
}
}
}
This works if the current user is User1 but is not applicable to any new user that signs up. How do I add this Firestore Security Rule to every new user?
I notice that the first rule matches to /User1/{info}, meaning it will match any path in the collection User1. Instead, if you use brackets, this value becomes a wildcard, meaning the match will work for any value. Check out the examples in the guide for more information.
service cloud.firestore {
match /databases/{database}/documents {
match /{username}/{info} {
allow read: if signedIn();
allow write: if isOwner(username);
}
function signedIn() {
return request.auth != null;
}
function isOwner(userId) {
return request.auth.uid == userId;
}
}
}