Reputation: 3149
Firestore Rules: Insecure rule notification for creating a user because of the (recommended) single check on request.auth.uid
I want to set security rules in my DB's users documents. In particular, for the creation of a user.
According to the documentation, you can write:
match /users/{user} {
allow create: if request.auth.uid != null
// && other booleans to validate data
But, according to the documentation again, writing only request.auth.uid != null without any other boolean concerning this value nore a role, makes this rule "insecure". Indeed:
When you're checking for authentication, you might also want to use one of the authentication properties to further restrict access to specific users for specific data sets. Learn more about adding security conditions and role-based access.
Of course, in the case of the creation of a user, it doesn't seem possible.
However, Firestore Security Rules will send me the notification that there is at least one insecure rule: this one.
How can I deal with this "problem"?
Upvotes: 0
Views: 166
Answers (1)
Reputation: 576
I think your problem can be solved and your firestore rule can be enhanced at the same time.
Just add a condition to check if the currentUser who is adding the newUser already exists in the users collection.
You can further enhance the same by checking if the currentUser has the necessary privileges to add a new user if you want to only allow a particular set of privileged users to create new users.
Hope this helps.
Upvotes: 1
Related Questions
- Firestore: userId rule
- Firestore rules hashing returns identity
- Define the right Firestore Security Rules
- firestore security rules at request.auth.uid == id
- Firestore rules for creating a user
- Firestore rule on uid doesn't work for unknown reason
- Setup Firestore User Security Rule
- problems with firestore security rules
- Firestore create security rule not behaving as expected
- Firestore rule to allow authenticated user to create documents not working