Reputation: 4033
Firestore returns insufficient permissions, even tough it shouldn't
I have the following rules set up for my Firestore database:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /collections/{document=**} {
allow read;
allow write: if isAdmin();
}
match /general/{document=**} {
allow read;
allow write: if isAdmin();
}
match /inquiries/{document=**} {
allow write;
allow read: if isAdmin();
}
match /orders/{document=**} {
allow write;
allow read: if isAdmin() || resource.data.userID == request.auth.uid;
}
match /products/{document=**} {
allow read;
allow write: if isAdmin();
}
match /users/{userId} {
allow write, read: if belongsTo(userId);
}
function belongsTo(userId) {
return request.auth.uid == userId
}
function isAdmin() {
return resource.data.admin == true;
}
}
}
As you can see, everybody is allowed to read /products and its documents plus subcollections. Which works for the products, but somehow the product's subcollection (every product has one called collection-colors) can't be read.
FirebaseError: Missing or insufficient permissions.
Code causing the error:
retrieveCollectionColors(name) {
this.db.collectionGroup('collection-colors', ref => ref.where('product', '==', name))
.valueChanges().subscribe( (val: []) => {
this.collectionColors.next(val);
}, error => {
console.log(error);
});
}
Upvotes: 1
Views: 608
Answers (1)
Reputation: 317332
The rules you have right now don't apply at all to collection group queries. You'll need to write a special rule for that. From the documentation:
Secure and query documents based on collection groups
In your security rules, you must explicitly allow collection group queries by writing a rule for the collection group:
- Make sure rules_version = '2'; is the first line of your ruleset. Collection group queries require the new recursive wildcard
{name=**}behavior of security rules version 2.- Write a rule for you collection group using
match /{path=**}/[COLLECTION_ID]/{doc}.
So, if you want to allow collection group queries for "collection-colors", it will look something like this:
match /{path=**}/collection-colors/{doc} {
allow read: ...
}
This will apply to all subcollections with the given name. You can't selectively allow or disallow subcollections based on the name of the parent collection.
Upvotes: 9
Related Questions
- Firebase Firestore "Missing or insufficient permissions" despite open security rules
- Error with Firestore security rules: FirebaseError: Missing or insufficient permissions
- Denied permission by Firebase
- Firebase insufficient permissions - what am I doing wrong?
- Firestore: FirebaseError: Missing or insufficient permissions
- Firestore no permissions to execute operation
- FirebaseError: Missing or insufficient permissions
- Firestore Permission Denied
- Keep getting missing permission when trying to add to user only
- Firestore: "Missing or insufficient permissions" Can you define or retrieve more details on error?