Reputation: 3640
Firestore rules are not filter - one more clarification
I need a clarification on the infamous "Rules are not filter"
Imagine
- a collection
testcolwith documents that all have a fieldtestwith value1. - a rule for this collection
allow list: if resource.data.test == 1 - a query that pulls all the documents from this collection:
firebase.collection(testcol).get()
So even if the query does not explicitly specify a filter on the field test, all returned documents still pass the rule.
I am testing this now and I see that I am still getting a "Missing or insufficient permissions" error! So is the rule engine not only checking the documents accessed against the rules but also checking the query itself to see if it might theoretically return documents not matching the rules, regardless of the documents themselves?
Upvotes: 0
Views: 96
Answers (1)
Reputation: 599671
Firestore doesn't actively check each existing document to see if it matches the conditions. That would never scale.
It instead checks if the read operation is guaranteed to ever only return allowed documents, no matter the actual underlying data. If it can't guarantee that, the read is rejected as it is here.
Upvotes: 2
Related Questions
- Struggling Firestore rules
- Firestore Rules
- Confused With Firestore Rules
- Problem in writing Firebase Firestore Rules
- truthiness in firestore security rules
- Rules Cloud Firestore
- Cloud Firestore rules proper syntax
- firebase rule with cloud firestore
- problems with firestore security rules
- How to setup Firestore security rules correctly