I have the following rules in my Firestore database. But I still keep getting a notification from Firestore that the rules I set in my database are not secure. Please see the codes below. Any suggestions or recommendations to make the database more secure?
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true;
allow write: if userIsAdmin();
}
match /Basket/{Basket} {
allow read, update, delete: if userOwnPost();
allow create: if request.auth.uid != null;
}
match /AllOrders/{AllOrders} {
allow read, create, update: if userOwnPost();
}
match /Items/{Items} {
allow update: if userOwnPost();
}
match /Voucher/{Voucher} {
allow update: if userOwnPost();
}
match /User/{User} {
allow read, update: if userOwnPost();
allow create: if request.auth.uid != null;
}
function userIsAdmin() {
return getUserData().userRole == 'Admin';
}
function getUserData() {
return get(/databases/$(database)/documents/User/$(request.auth.uid)).data;
}
function userOwnPost() {
return getUserData().objectId == request.auth.uid;
}
}
}
You have some overlapping match statements in your rules:
With
match /{document=**} {
allow read: if true;
allow write: if userIsAdmin();
}
you allow read access on all documents in your Firestore database.
As explained in the doc (section "Overlapping match statements"), "in the case where multiple allow expressions match a request, the access is allowed if any of the conditions is true".
So all your other security rules are just overlapped by this one.
Related
The 2nd and 3rd rule in the below code work as expected. I'm trying to specify the access conditions for the mailingList collection to allow anyone to write. However, this is always blocking.
service cloud.firestore {
match /databases/{database}/documents {
match /malingList/{doc} {
allow write: if true;
}
match /metadata/{doc} {
allow read: if request.auth.uid != null;
}
match /taken/{doc}{
allow read: if request.auth.uid != null;
allow read,write: if
request.auth.uid == doc;
}
}
}
It seems that you have a typo:
Rules => match /malingList/{doc} {} without i between a and l
but you want to write to the mailingList collection.
i have the following sample app here: Github repo
It uses vuefire in ChatList.vue
// vuefire firestore component manages the real-time stream to that reactive data property.
firestore() {
return {
chats: db.collection('chats').where('members', 'array-contains', this.uid)
}
},
I now wrote security rules to secure the data, but can't seem to get the combination of vuefire and security rules to work:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
// THIS IS THE PART I'D LIKE TO REMOVE
match /chats/{chatId=**} {
allow read: if request.auth.uid != null;
}
// THIS WORKS AS INTENDED, AND I'D LIKE TO INCLUDE "READ"
match /chats/{chatId}/{documents=**} {
allow write: if chatRoomPermission(chatId)
}
function chatRoomPermission(chatId) {
return request.auth.uid in get(/databases/$(database)/documents/chats/$(chatId)).data.members;
}
}
}
So the goal is: make the individual chats only readable and writable to users that are in the members array in firestore. (Currently i achieved this partially, since all chats are readable to anyone, but only writable to users in the members array.)
Do i have to rewrite the vuefire component so i can have the following security rule? (It gives an error message: listing of chats not possible due to missing permissions)
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
match /chats/{chatId}/{documents=**} {
allow read, write: if chatRoomPermission(chatId)
}
function chatRoomPermission(chatId) {
return request.auth.uid in get(/databases/$(database)/documents/chats/$(chatId)).data.members;
}
}
}
For completeness, the working solution is (credits to Renaud Tarnec):
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
match /chats/{chatId=**} {
allow read: if request.auth.uid in resource.data.members;
}
match /chats/{chatId}/{documents=**} {
allow read, write: if chatRoomPermission(chatId)
}
function chatRoomPermission(chatId) {
return request.auth.uid in get(/databases/$(database)/documents/chats/$(chatId)).data.members;
}
}
}
Since you want to check, in your Security Rules, if a given value (the user uid in this case) is contained in a field of type Array in your document, you can use the in operator of the List type.
So, the following should do the trick:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
// THIS IS THE PART I'D LIKE TO REMOVE
match /chats/{chatId=**} {
allow read: if request.auth.uid in resource.data.members;
}
// ....
}
}
Setup multiply rules for firebase.
Example with 3 database collections.
Cloud Firestore
On firebase collection of countries, all users should be allowed to read and write.
On firebase collection of cars, only admins are allowed to write.
On firebase collection of airplanes, all authenticated users are allowed to write.
not working documentation:
https://firebase.google.com/docs/rules/basics#cloud-firestore
how to setup rules with correct syntax?
// All public to include countries
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true ;
allow write: if true ;
}
}
// check cars collection
match /databases/{database}/documents/Cars {
// For attribute-based access control, Check a boolean `admin` attribute
allow read: if true ;
allow write: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true;
}
// check airplanes collection
match /databases/{database}/documents/Airplanes {
// Allow only authenticated content owners access
match /{database}/{userId}/{documents=**} {
allow read: if true ;
allow write: if request.auth.uid == userID
}
}
}
You have a few mistakes in your rules.
You have a statement that allows everyone to write every document. When there is more than one match statement that matches the current request, and one of the statements allows the request, the final verdict is ALLOW. Remove the foloving:
match /{document=**} {
allow read: if true ;
allow write: if true ;
}
Firestore is case sensitive. To avoid mistakes, use consistent naming convetion like camelCase or pascal_case.
You have to add a document match variable at the end of match statement
This should work:
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read: if true;
allow write: if request.auth != null && request.auth.uid == userId;
}
match /cars/{carId} {
allow read: if true ;
allow write: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true;
}
match /airplanes/{airplane} {
allow read: if true ;
allow write: if request.auth != null ;
}
}
}
So I am assuming that my firebase rules are insecure :
I need second thoughts on it
below I set rules like:
Anyone can read and create(register)
Registered users can read messages
Registered users can create messages
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /usernames/{usernames} {
allow read;
allow create;
}
match /users/{users} {
allow read;
allow create;
}
match /messages/{messages} {
allow read;
allow create : if request.auth.uid != null;
}
}
}
Anyone can read and create(register)
match /users/{users} {
allow read, write: if true;
}
Registered users can read messages (and No one can write it)
match /users/{users} {
allow read: if request.auth.uid != null;
allow write: if false;
}
Registered users can create messages (and No one can read it)
match /messages/{messages} {
allow create: if request.auth.uid != null;
allow read: if false;
}
I have a "game" collection on firestore with a "levels" sub-collection. I'm trying to set-up the security rules so that you can only access game or level you created.
All documents (games or levels) have an authorId field with the uid of the user that created them. I have try this rule but still got an Missing or insufficient permissions error:
service cloud.firestore {
match /databases/{database}/documents {
match /games/{document=**} {
allow read, write: if document.data.authorId == request.auth.uid;
}
}
}
What am I missing?
I have tried the following rules too with no success:
service cloud.firestore {
match /databases/{database}/documents {
match /games/{game}/levels/{level} {
allow read, write: if level.data.authorId == request.auth.uid;
}
}
}
service cloud.firestore {
match /games/{game} {
allow read, write: if game.data.authorId == request.auth.uid;
match /levels/{level} {
allow read, write: if level.data.authorId == request.auth.uid;
}
}
}
According to the reference documentation, resource is the object that contains the document data that the user is trying to write. You use its data property to get a hold of its field values.
service cloud.firestore {
match /databases/{database}/documents {
match /games/{document=**} {
allow read, write: if resource.data.authorId == request.auth.uid;
}
}
}
match /databases/{database}/documents {
match /users/{uid} {
allow read, write: if request.auth.uid == uid;
}
match /data/{uid}/temperature
/{document=**}{
allow read, write: if request.auth.uid == uid;
}
match /data/{uid}/blood_pressure
/{document=**}{
allow read, write: if request.auth.uid == uid;
}
}
}
I did this to access subcollections "blood_pressure" and "temperature" for only authenticated users. It works fine for me.