CODEWITHSUNDEEP
firebasefirebase-securitygoogle-cloud-firestore
Kushagra Gour
Kushagra Gour

Reputation: 4966

Firebase rules fail on batch set

I have the following security rule on a particular document:

match /items/{itemId} {
  allow read, write: if request.auth != null && exists(/databases/$(database)/documents/items/$(itemId)) == false || request.auth.uid == resource.data.createdBy;
}

This works when I do a set() on that collection. But it fails when I do a set in a batch with following error:

Error: Missing or insufficient permissions.

I am assuming my security rule needs to be changed to handle batch writes, but there is no documentation on it. Any pointers?

Update: Here is the minimal code that reproduces the problem -> https://firestore-batch-test.firebaseapp.com/ (All JavaScript inline on the page).

Exact rules:

service cloud.firestore {
 match /databases/{database}/documents {
  match /items/{itemId} {
  allow read, write: if request.auth != null && exists(/databases/$(database)/documents/items/$(itemId)) == false || request.auth.uid == resource.data.createdBy;
  }
 }
}

Upvotes: 2

Views: 1087

Answers (1)

Frank van Puffelen
Frank van Puffelen

Reputation: 599776

Edit:

One can now get the data after it has been updated by calling getAfter(path).data. But that's for single document only, and by knowing the exact path of the updated document.

Unfortunately this is not possible on Firestore right now.

In the realtime database you'd have newData, which contains the data as it'll exist after all writes in the batch (multi-location update in RTDB). But on Firestore that doesn't exist.

Someone is looking into what it'd take to implement this, but as usual: no timeline, no commitments for that.

There is no workaround that you can do in the client for it right now, but you could of course use Cloud Functions to ensure that at least the code doing the write is trusted.

Upvotes: 3

Related Questions