Reputation: 901
Missing or Insufficient permissions on Firestore Security Rule with get()
Pretty much no matter what I use for the get() request, getting Missing or insufficent permissions when logged in with a userID that is a "member":
function isSelf(userID) {
return request.auth != null && request.auth.uid != null && request.auth.uid == userID
}
function isMember(userID) {
return request.auth != null && request.auth.uid != null && get(/databases/$(database)/documents/'members'/$(request.auth.uid)).data.parent == userID
}
match /templates/{userID} {
allow read, write: if false
match /templates/{templateID} {
allow read: if isSelf(userID) || isMember(userID)
allow write: if isSelf(userID)
allow delete: if false
}
allow read: if isSelf(userID) || isMember(userID)
allow write: if isSelf(userID)
}
Have tried using get() with .data.parent and with .parent The member doc looks like this:
{
parent: 'USER_ID_OF_PARENT'
}
Call from the client app is:
export const getTemplate = async ({ userID, form }) => {
db.collection('templates').doc(userID).collection('templates').doc(form).get()
.then((doc) => {
})
.catch((err) => {
console.error(err)
})
}
Database structure is:
- /templates/{userID} is a collection of docs with ids as userIDs that correspond to a doc with matching userID in
/users/{userID} - /members/{memberID} is a collection of docs with ids as memberIDs, with a
parentfield with a string valueSOME_USER_IDwhich matches a doc with userIDSOME_USER_IDin/users/{userID}
Example:
/members/'MEMBER_1' doc:
{
name: 'Member 1',
parent: 'OWNING_USER_1'
}
/users/'OWNING_USER_1' doc:
{
name: 'Owning User 1',
parent: 'OWNING_USER_1'
}
/templates/'OWNING_USER_1' doc:
{
// no fields
}
/templates/'OWNING_USER_1'/templates/'FORM_1' doc:
{
name: 'Form 1'
}
With the following call:
getTemplate({
userID: 'OWNING_USER_1',
form: 'FORM_1'
})
- When the authenticated user is OWNING_USER_1, the above call is successful (the
isSelf()rule returns as true) and the found template document is returned - When the authenticated user is MEMBER_1, the above call gets
Missing or insufficient permissions(theisMember()rule returns false)
Upvotes: 0
Views: 105
Answers (1)
Reputation: 901
Removed the quotes from around 'members' and this is now working correctly:
Replaced:
get(/databases/$(database)/documents/'members'/$(request.auth.uid)).data.parent
with:
get(/databases/$(database)/documents/members/$(request.auth.uid)).data.parent
Upvotes: 1
Related Questions
- Firebase Firestore "Missing or insufficient permissions" despite open security rules
- Error with Firestore security rules: FirebaseError: Missing or insufficient permissions
- Why does firestore throw permission denied if the security rule parameter is not part of the query?
- Firebase Firestore Rules get() Not Working
- Firestore Security Rules "get()" not working?
- Firestore Rules get is always null or errors out
- Firestore rule succeeds in Playground and client but returns Permissions Denied using get method
- Firestore security rule get() not work
- Firestore security rules - permission denied
- Firestore security rule get() not working