CODEWITHSUNDEEP
firebasegoogle-cloud-firestorefirebase-security
DxW
DxW

Reputation: 1592

Firebase security rules not working - Can't figure out why

is there some one that knows how security rules for firestore works?

I'm trying to do something like this but it doesn't work (I don't get access to data).

match /contents/{contentID} {
      allow read: if get(/databases/$(database)/documents/users/$(request.auth.uid)/reserved/permissions).data.contents.hasAny([contentID])
      allow create, update, delete : if false
    }

It seems the problem is contentID since if I do this

match /contents/{contentID} {
      allow read: if get(/databases/$(database)/documents/users/$(request.auth.uid)/reserved/permissions).data.contents.hasAny(["3"])
      allow create, update, delete : if false
    }

and update the document located in user/reserved/permission adding "3" to contents (that is an array field of the document ) it works. It's like contentID is not converted right.

Can someone explains why?

UPDATE

The client code is just

 firestore()
      .collection('contents')
      .onSnapshot((querySnapshot) => {
         console.log(querySnapsho)
       })

and it return always null. If I change the rule in

 match /contents/{contentID} {
          allow read: true
          allow create, update, delete : if false
        }

it works. So the problem is with the rule

Upvotes: 2

Views: 2037

Answers (2)

Doug Stevenson
Doug Stevenson

Reputation: 317322

The problem is that security rules are not filters. I strongly suggest reading that documentation to understand how the system work.

Your query attempts to get all documents in the collection. The rules deny that query because it's not certain if the client actually has read access to each any every document. It will not evaluate a get() for each possible document - that simply doesn't scale (and it would be very expensive for you for large collections).

Your client app should be able to get() any individual document where the rule evaluates to true, but you won't be able to perform queries against the collection like this.

Upvotes: 3

DxW
DxW

Reputation: 1592

The rule is well written. The problem is that the generic query get() on the entire collection "contents" it's not allowed after this kind of rules are activated (and it makes sense since this behaviour is designed to reduce the resources needed for a query)

Read this to understand the logic

https://medium.com/firebase-developers/what-does-it-mean-that-firestore-security-rules-are-not-filters-68ec14f3d003

Upvotes: 0

Related Questions