Reputation: 287
firestore read permission denied, but it works in simulator with set IDs
I am trying to filter out posts that were hidden by the user. streaming is simple:
StreamBuilderWrapper(
shrinkWrap: true,
stream: postRef
.orderBy('stars', descending: true)
.orderBy('timestamp', descending: true)
.snapshots(),
physics: NeverScrollableScrollPhysics(),
itemBuilder: (_, DocumentSnapshot snapshot) {
Review reviews= Review.fromJson(snapshot.data());
return posts.postId != null
? Padding(
padding: const EdgeInsets.only(bottom: 12.0),
child: Reviews(review: reviews),
)
: Container(
child: Center(
child: Text('balhblahblahb'),
),
);
},
),
trying to use firestore rules to set the read permission, where hidingUserId is an array of users, and isHiddenBy a currentUser id:
match /reviews/{review}{
allow read: if request.auth != null && !(request.auth.uid in
request.resource.data.hidingUserId)
|| request.resource.data.isHiddenBy == null ||
request.resource.data.isHiddenBy != request.auth.uid
allow delete, update, create: if request.auth != null
}
playing with rules in simulator with IDs works fine. they deny the read when the userId in one of the conditions, and allow read if userId is not in. However, when I test the app on the android device, I get the:
[Firestore]: Listen for Query(target=Query(reviews order by stars, -
timestamp, -__name__);limitType=LIMIT_TO_FIRST) failed:
Status{code=PERMISSION_DENIED, description=Missing or insufficient
permissions., cause=null}
why is the denial of permission? how to structure the rules, so it filters out the posts if the user has hidden it? thanks!
Upvotes: 1
Views: 199
Answers (1)
Reputation: 598708
Firebase's security rules are not filters; they don't inspect each individual document to see if it matches the rules. Instead they check the query/read operation you run against the rules to ensure it only requests documents that match those rules.
So you will have to replicate the condition from your rules in the query, an approach known as securely querying data. If you replicate the filter on hidingUserId in your query, the query meets that clause of the rules and that part of the rule will pass.
Unfortunately it is not possible to do an OR condition across multiple fields in Firestore, so it is not possible to replicate the entire rule in a query. If you can translate the conditions into a set of AND conditions, it should be possible to translate it into a query though - so that would be the direction I'd look.
Upvotes: 1
Related Questions
- FirebaseException ([cloud_firestore/permission-denied] The caller does not have permission to execute the specified operation.)
- Firestore PERMISSION_DENIED
- getting error in cloud firestore permission
- cloud_firestore/permission-denied The caller does not have permission to execute the specified operation
- cloud_firestore/permission-denied with flutter
- no Permission to read my own Firestore collection (Flutter)
- Firestore security rules Flutter app denied permissions
- Permission denied while configuring firestore in flutter
- PERMISSION_DENIED: Missing or insufficient permissions
- Flutter Firestore - PERMISSION_DENIED: Missing or insufficient permissions