CODEWITHSUNDEEP
angularsecuritygoogle-cloud-firestorerules
Bene
Bene

Reputation: 81

Firestore rules deny access data, but angular project still gets the collection - ERROR Error: Missing or insufficient permissions

I have an angular project connected to a Firestore database.

I have a users collection, and the user documents in it have a nested collection inside, called hugeCollection. I want these nested collections not to be reached by the clients, so I changed the default Firestore's rules to the following:

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId}/hugeCollection/{document} {
        allow read : if false;
        allow write : if false;
    }
  }
}

My problem is, that my angular project can still get the subCollection inside the document. With this rule settings, the only result I get is a console log appears in the browser's console, showing:

ERROR Error: Missing or insufficient permissions

If I modify the rules below as changing the words false to be true, the console errors not showing. This is alright. But with false I would think, those subcollections shouldn't be queried.

What do I do or think bad? Thanks for any help.

Upvotes: 2

Views: 360

Answers (1)

Bene
Bene

Reputation: 81

Ok, I found what the problem was.

Firestore worked offline. So as I could reach the subcollection once, before I made the rules, it stored the data locally.

Next as I created the rules, in my angular project, it first checked the offline cache, and get the data from it. Then it checked, if there are any changes comparing to the online database. As the rules in this case not allowed to reach it, it thrown the error, and showed it in the browser's console.

I found it as I changed some data in the firebase console, but the angular project still loaded the old data. That's how I realised it something with the offline data caching.

I tried to clear firestore cache by using browser's 'empty cache and hard reload' function, but it didn't work. Then I loaded my project in incognito mode, there the data which was denied by the rule was not be able to be loaded. Then the normal mode browser windows also refreshed the firestore cache, so now they also can't load the data which are denied for them.

I hope it can help somebody running to the some issue.

Upvotes: 1

Related Questions