I have a collection structure like this.
products {
123456 : {
stock_qty : (Number)
}
}
I want to validate stock quantity to be positive. I have applied following firebase security rule.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if request.auth.uid != null;
allow write: if request.auth.uid != null;
}
match /products/{document=**}{
allow write: if request.resource.data.stock_qty > 0;
}
}
}
But Still I am able to add products with negative stock_qty.
what I am doing wrong here?
You need to remove this part of your rules:
match /{document=**} {
allow read: if request.auth.uid != null;
allow write: if request.auth.uid != null;
}
This allows all authenticated users to read and write your entire database, regardless of any other rules you have defined.
If any rule gives access to a document, another rule cannot revoke that access.
If you have other queries for other collections that must be protected, you will need rules for those other collections as well.
Related
I've a firestore database and I now need to add a new collection.
Each entry of this collection should contain:
Which userId is the owner(field admin)
Which userId has been allowed to edit this element(field writer)
Which userId has been allowed to only read(field reader).
I'm currently only at the first step, and already strugling:
I was hoping to be able to query my collection( /trips/) and get only the one that I'm allowed to access, but I get an error:
FirebaseError: Missing or insufficient permissions.
Here is my rules file:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
match /users/{userId} {
allow read, update, delete: if request.auth != null && request.auth.uid == userId;
allow create: if request.auth != null;
}
match /trips/{trip} {
allow read, update, delete: if request.auth != null && request.auth.uid == resource.data.admin;
allow create: if request.auth != null;
}
}
}
So my questions:
Is this the correct way of managing resource that must be acceeded by multiple people(meaning, I cannot just have the userId in the path since there are multiple users)
How should I query only the documents list that I'm allowed to see?
Thank you very much for your help
As you will read in the doc, "All match statements should point to documents, not collections".
With
service cloud.firestore {
match /databases/{database}/documents {
match /trips {
// ....
}
}
}
you don't point to a document. You should use a wildcard to point to any document in the specified path, as follows:
service cloud.firestore {
match /databases/{database}/documents {
match /trips/{trip} {
// ....
}
}
}
Therefore the following should correctly implement your requirements:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /trips/{trip} {
allow read: if request.auth != null &&
(request.auth.uid == resource.data.admin
|| request.auth.uid == resource.data.writer
|| request.auth.uid == resource.data.reader
);
allow update: if request.auth != null &&
(request.auth.uid == resource.data.admin
|| request.auth.uid == resource.data.writer
);
allow create: if request.auth != null;
}
}
}
Then, for the two questions:
Is this the correct way of managing resource that must be acceeded by multiple people (meaning, I cannot just have the userId in the path
since there are multiple users)
If the admin, writer and reader are specific for each document, yes this is the correct way. If those roles would be more global (e.g. all the trips to Europe can be edited by the same user), you could use a role based approach with Custom Claims.
How should I query only the documents list that I'm allowed to see?
It is important to note that rules are not filter. So your query for getting docs needs to be aligned with the rules. In your specific case, you could have an additional field of type Array which contains three values; the uids of the admin, writer and reader, and use the array-contains operator. Something like:
const user = firebase.auth().currentUser;
const query = db.collection("trips").where("authorizedReaders", "array-contains", user.uid);
match /{document=**} {
allow read, write: if false;
}
You don't need the above code as it will apply to all routes of the database, because of the above line you are getting the below error as it does not allow you to read and write to the database
FirebaseError: Missing or insufficient permissions.
Now, if you want to assign privileges to users then you should add the Role field to users collections which would have a value such as Admin, Editor, Reader
Then, you can check in routes something like below
match /users/{userId}/trips/{tripId} {
allow read, delete: if request.resource.data.role == "Admin";
allow create, update: if request.resource.data.role == "Admin || request.resource.data.role == "Editor";
}
If you want to know more about how to create a route check out this video for the best explanation
Setup multiply rules for firebase.
Example with 3 database collections.
Cloud Firestore
On firebase collection of countries, all users should be allowed to read and write.
On firebase collection of cars, only admins are allowed to write.
On firebase collection of airplanes, all authenticated users are allowed to write.
not working documentation:
https://firebase.google.com/docs/rules/basics#cloud-firestore
how to setup rules with correct syntax?
// All public to include countries
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true ;
allow write: if true ;
}
}
// check cars collection
match /databases/{database}/documents/Cars {
// For attribute-based access control, Check a boolean `admin` attribute
allow read: if true ;
allow write: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true;
}
// check airplanes collection
match /databases/{database}/documents/Airplanes {
// Allow only authenticated content owners access
match /{database}/{userId}/{documents=**} {
allow read: if true ;
allow write: if request.auth.uid == userID
}
}
}
You have a few mistakes in your rules.
You have a statement that allows everyone to write every document. When there is more than one match statement that matches the current request, and one of the statements allows the request, the final verdict is ALLOW. Remove the foloving:
match /{document=**} {
allow read: if true ;
allow write: if true ;
}
Firestore is case sensitive. To avoid mistakes, use consistent naming convetion like camelCase or pascal_case.
You have to add a document match variable at the end of match statement
This should work:
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read: if true;
allow write: if request.auth != null && request.auth.uid == userId;
}
match /cars/{carId} {
allow read: if true ;
allow write: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true;
}
match /airplanes/{airplane} {
allow read: if true ;
allow write: if request.auth != null ;
}
}
}
I'm trying to use a wildcard in my firebase security rules but it's not working like the online documentation describes.
I want to return the entire itineraryList collection but the security rules aren't working.
match /itinerary/{userId=**}/itineraryList/{doc} {
allow read: if request.auth.uid == userId;
allow write: if request.auth.uid == userId;
}
What is the correct syntax here to give authenticated users access to the entire list?
Update following your comments:
If you want to give read access to any authenticated user to all documents under the itinerary collection (including sub-collections), do as follows:
service cloud.firestore {
match /databases/{database}/documents {
match /itinerary/{docId=**} {
allow read: if request.auth.uid != null;
}
//possibly add another rule for write
}
}
Initial answer:
This is because by doing {userId=**} you are using the "recursive wildcard syntax", see https://firebase.google.com/docs/firestore/security/rules-structure#recursive_wildcards. It will correspond to the "entire matching path segment".
You should do:
service cloud.firestore {
match /databases/{database}/documents {
match /itinerary/{userId}/itineraryList/{doc} {
allow read: if request.auth.uid == userId;
allow write: if request.auth.uid == userId;
}
}
}
You may also watch this official Firebase video about Firestore security rules, it explains this point, among others: https://www.youtube.com/watch?v=eW5MdE3ZcAw
I'm currently using Firestore for the first time and trying to understand the security rules a bit. I now my question is really simple and that I could figure out an answer by doing a bit more research but I wanted to be sure that I am doing the right thing, so I thought it would be better to just ask here.
If I had two collections in Firestore one called "A" and the other "B" what would my security rules have to be if I wanted just authenticated users to read, write, update, delete... in A and everyone to read in B but just authenticated users to write, update, delete... in B.
Edit:
Here are the current rules they apply the rules for B to all collections:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true;
allow write: if request.auth.uid != null;
}
}
}
If you look at the documentation on authentication in security rules, you will find these rules:
service cloud.firestore {
match /databases/{database}/documents {
// Allow the user to access documents in the "cities" collection
// only if they are authenticated.
match /cities/{city} {
allow read, write: if request.auth.uid != null;
}
}
}
Modified for your use-case, that'd be something like:
service cloud.firestore {
match /databases/{database}/documents {
match /A/{id} {
allow read, write: if request.auth.uid != null;
}
match /B/{id} {
allow read;
allow write: if request.auth.uid != null;
}
}
}
I use a collection called "admin" in Firestore to define which users can write new documents (image below).
At moment, it is controled just by software. I would like to add rules to Firestore. I tried the rule below but it didn't work. What would be the correct rules in that case ?
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if request.auth != null;
allow write: if get(/admin/{anyDocument}).data.userId == request.auth.uid;
}
}
}
I'd recommend instead having a users collection with an admin field that can be set to true/false. Then you can do something like:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if request.auth != null;
allow write: if get(/users/${request.auth.uid}).data.admin == true;
}
}
}
As far i know this is not possible with your current database structure. Because the push key is not accessible in firestore rules unless it is with in the admin node.
One way is to save the admin with their uid as key like admin/userID/data...
now you can access it
allow write: if get(/databases/$(database)/documents/admin/$(request.auth.uid)).data.userId == request.auth.uid;;