here I have a little problem concerning the firestore security rules
I create an online notepad and I would like these notes to be accessible only by certain users identified by a groupId. I specify that I have specified a groupId to my cities also in order to be able to match my identified users to my identified cities.
In terms of my code, everything is fine but it is at the level of the firestore rules that I do not succeed.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users /{documents = **} {
allow create,read,write : if request.auth != null
}
match /cities/{city}/citees/{citee}{
allow read : if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.groupId == get(/databases/$(database)/documents/cities/$(city).data.groupId
}
}
}
There is a syntax error in it. Seems to be missing ) after $(city). It should be like this:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users /{documents = **} {
allow create,read,write : if request.auth != null
}
match /cities/{city}/citees/{citee}{
allow read : if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.groupId == get(/databases/$(database)/documents/cities/$(city)).data.groupId
}
}
}
yes, I have access to the database because when I try to recover my "uers" collection alone, I can do it
Related
If my firestore looks like this:
/domain path (eg. xyz.com)/users and other data/ecc
which rule can I set to allow user to access only the domain path they are in? Something like:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} { <-- what here
allow read, write: if request.auth <-- what here ;
}
}
}
edit: actual firestore screenshot
It seems you have user's domain as collection name so you can use a wildcard as shown below:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{colName}/{docId} {
allow read, write: if colName == request.auth.token.email.split("#")[1];
}
}
}
This rule will check if the collection name is equal to requesting user's domain in their email.
However, this above rule will be applied for all the collections in your database so I'll recommend creating a single collection "users" and storing the domain name as a field as shown below if possible:
users -> { userId }
(col) (doc)
// document in users collection
{
email: "user#domain.tld",
domain: "domain.tld",
...otherFields
}
You can then easily access the domain name in the security rules from document data.
So I am trying to only allow a client to create a file it it has a certain name, but failing completely doing so.
// This is what I have tried so far:
https://firebase.google.com/docs/reference/rules/rules.List#hasAny
request.resource.__name__.split('/').hasAny('someDocument')
https://firebase.google.com/docs/reference/rules/rules.String#matches
request.resource.__name__.matches('.*someDocument')
And trying to compare the exact string from the rules-playground
request.resource.__name__="/databases/%28default%29/documents/someCollection/someDocument/someOtherCollection/thisDocument"
But all of them returned false for me.
service cloud.firestore
{
match /databases/{database}/documents
{
match /{document=**}
{
allow read: if true;
allow write: if {insert correct condition here};
}
}
}
You just need a wildcard to get the value of a document ID. Try the following:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /collectionName/{docId} {
allow read, write: if docId.size() > 5; // example
}
}
}
If you want to match collection name as well then you can add another wildcard like this:
match /{colId}/{docId} { ... }
Checkout the documentation for more information.
I'm trying to implement what I thought was a basic security rule in Cloud Firestore, namely to allow read access to a specific collection.
service cloud.firestore {
match /databases/{collectionName}/documents {
match /{document=**}{
allow read : if collectionName=="metadata";
}
}
}
so in the rules playground, the query for /metadata/status gets denied, however, if I switch the operator to != instead of ==, it allows any query for any collection, not just the ones that aren't metadata. Help?
The placement of that wildcard is incorrect. The collectionName would be name of the database which is (default) for default database and hence "(default)" == "metadata" returned false. Try the following rules:
service cloud.firestore {
match /databases/{database}/documents {
match /{collectionName}/{doc}{
allow read : if collectionName == "metadata";
}
}
}
Here collectionName would be name of collection being accessed.
This rule however will be applied for all collections. If you want to add that rule for 'metadata' collection only then you can add a separate rule for that:
match /metadata/{doc} {
allow read: if true;
}
if you want to set a rule on only a specific document, E.g: Inbox:
service cloud.firestore {
match /databases/{database}/documents {
// Allow public read access, but only authorized users can write
match /{document=**} {
allow read: if true
allow write: if (request.auth.uid != null);
}
match /Inbox/{document=**} {
allow read,write: if true
}
}
}
Firebase keep telling me
We've detected the following issue(s) with your security rules:
any user can read your entire database
I have changed the rules but that rules doesn’t work in my app because all user can read from db and only authenticate user can write to db.
Firebase says that write and read should be performed until we login. But in my case every user can read and only login user can write.
Any ideas how to solve this ? or I'm I doing it wrong ?
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read;
allow write: if request.auth != null;
}
}
}
Can you set your read to false explicitly?
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if false;
allow write: if request.auth != null;
}
}
}
That should do it. Let me know if it persists.
The root cause is that even though you are allowing only authenticated users to read or write but they have access to the whole database as mentioned in the Google Cloud Firestore Documentation. That also means any authenticated user can write anything in your database.
If you database has a separate document for each user, I would suggest using the following rules which allows users to write/read their own data only.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read, write: if request.auth.uid === userId;
}
}
}
What would be the best Firestore rules when users should only be able to read and write their own collections, i.e. the collection name is the same as the userId? Currently I have the following which works, but is it secure enough?
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{userId}/{document=**} {
allow read, write: if request.auth.uid != null;
}
}
}
I also tried the following which didn't work.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{userId}/{document=**} {
allow read, write: if request.auth.uid == userId;
}
}
}
The first rule is indeed not sufficient, since there is no check on the collection name: any authenticated user can read all the collections named with any users' uid.
The second one should work for your requirements ("Users should only be able to read and write their own collections, i.e. the collection name is the same as the userId"). You are probably having an error somewhere else, e.g. with the code for writing or reading or for authenticating the user. You should share this code in order we double check it