I've appended the following line to my storage rules following the docs:
rules_version = '2';
Furthermore, my rules are now:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
Moreover, I am able to list out the files of a folder using listAll which is an exclusively version 2 feature.
However, each day I come back to my dashboard to find my rules updated to the previous version, being:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
How and why does this happen? More importantly, how may I fix the issue?
With the help from Jonathan from Firebase who was kind enough to remind me of the fact that I am deploying almost on a daily basis I figured out what was going wrong. It turned out that as part of my continuous deployment I was also deploying Firebase storage rules, hence I was indirectly the one overriding my own rules.
Now the obvious and easy solution is to just update the storage.rules file locally.
There are only three ways your rules can change:
Using the Firebase console
Using the Firebase CLI to deploy rules from a local file
Use the Firebase Admin SDK.
If your rules are changing and you are absolutely certain that it's not coming from one of these two methods, contact Firebase support for assistance.
Related
Alright so I was creating an application that works with firebase and when a user signs in, user's ID is stored in the data base. But when I was creating this I ran into an error that would pop up after a user signs in FirebaseError: Missing or insufficient permissions..
I did some research. It was the firestore rules, which were set to default as
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
}
}
I changed this as
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
That's right from false to true. Is the right way to do it? Help would be appreciated.
If you are just testing and no one is going to use it it's fine but please, keep in mind that this kind of ruleset allows everyone to read and write to each of your files under the documents collection.
I ran into this kind of problem too while starting out with firebase and I know it's overwhelming but I would suggest you try and implement a ruleset more secure following this get started guide by google.
Let me know if you need any further information.
I want unlogged users of my reactjs webapp to be able to read only "business profile collection".
I have the following db structure.
And the following rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read : if true;
allow write: if request.auth != null;
}
}
}
I am quite new to the firestore rules, i have multiple ways and this is the only one that worked for me.
The user Dharmaraj previously mentioned that your rules are allowing any user to read and write to any collection of the database, something you can validate using the rules playground. If that is the desired behavior, then you can ignore these alerts.
However, you said you wanted unlogged users of your app to be able to read only “business profile collections”. You can read the Production-ready rules and its sections, then use the one that is best for you. The way I see it, you should read and use the Attribute-based and Role-based access section and finish with something like this:
service cloud.firestore {
match /databases/{database}/documents {
// For attribute-based access control, Check a boolean `admin` attribute
allow write: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true;
allow read: true;
// Alternatively, for role-based access, assign specific roles to users
match /some_collection/{document} {
allow read: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == "Reader"
allow write: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == "Writer"
}
}
}
Although, you might want to check them and read them carefully to see if any other option is more suitable for you. I will add the Security Rules language that is needed to understand what your rules are doing and how to Fix insecure rules.
I would like to use this rule but firebase keeps reverting it
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{address}/{allPaths=**} {
allow write: if resource==null;
}
}
}
I don't want users to be authenticated, there is no authentication for this site. I am only allowing them to write if something isn't in that spot. The rule works for a tiny bit but then stops. This isn't sensitive data and data security isn't important for this app.
It sounds like you may be running firebase deploy, which can optionally include storage security rules and replaces whatever you had if it does.
Normally I test my security rules for Firestore with the Firestore emulator. Until a few weeks ago, everything worked wonderfully. I changed nothing and now the Firestore emulator is freaking out. I can't use request and resources anymore.
My Rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /Test/{testId} {
allow read, write: if isLoggedIn();
}
function isLoggedIn() {
return request.auth.uid != null
}
}
}
If i visit http://localhost:8080/emulator/v1/projects/projektName:ruleCoverage.html, I get this message: Expression never evaluated
Error Screenshot
firebase --version: 8.2.0
Any ideas to fix this Firestore emulator error?
Firestore docs are a bit confusing. They state that the URL should be:
http://localhost:8080/emulator/v1/projects/<database_name>:ruleCoverage.html
However, they don't explain what <database_name> should be replaced with your project_id. Yes... reading the URL some might thing is obvious, but is really the argument name that should make it obvious. Plus, in Firestore databases are not created neither accessed by name.
SOLUTION:
<database_name> should be replaced by your project_id (this value is available in the files .firebaserc or google-services.json
So, if your project_id is my-amazing-app, your rulesCoverage url would be:
http://localhost:8080/emulator/v1/projects/my-amazing-app:ruleCoverage.html
I defined my rules in Firestore as below:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}
I'm using Delphi's REST Client palette components to get the data, without the rule defined above I can read the data, but when I configure it to require authentication I can't get it.
I read this documentation:
https://firebase.google.com/docs/firestore/use-rest-api
Which led me to this other documentation:
https://firebase.google.com/docs/reference/rest/auth/
But I didn't understand how to generate the token property.
I don't know the tool you use and what are its capabilities. I found some interesting materials that might be helpful in this case:
Tutorial - this friendly shows the mechanism generally and Node.js implementation.
Document - here you might find all possibilities to create custom tokens as well on third party tools which I suppose you are using.
I hope it will help!