Firestore CollectionGroup Permission-Denied Error Why?

Question

In March I asked a question about creating an index for making a single-field collection-group query for Firestore. I was assisted by Frank van Puffelen and I quickly understood how to, and for a long time the functionality I had learnt was working.

Around 4 weeks ago, a secondary example of the single-field index code I learnt stopped working, but not the primary one - that still worked fine. I made a new enquiry here on Stack which Doug Stevenson helped me to answer, and there I learnt that Google had made some changes to the collection-group query configuration, and I was introduced to this documentation: https://firebase.google.com/docs/firestore/security/rules-query#collection_group_queries_and_security_rules

I worked with the documentation's directions and I was successful in getting the collection-group query to work again.

Today I went to make use of the primary code where the collection-group query had been written, and I found that now it longer works, and, adding to the security rules as directed in the documentation has made no difference.

So, I am curious about what the newest way to create a single-field collection-group query is.

In Flutter I wrote:

void signUserIn() async {
      try {
        // try sign-in
        await _auth.signInWithEmailAndPassword(
            email: emailControl.text.trim(),
            password: passwordControl.text.trim());

        // if sign-in succeeds: confirm user's registered-date
        if (_auth != null) {
          await _dB
              .collectionGroup('signInData')
              .where('firebaseUserID', isEqualTo: _auth.currentUser!.uid)
              .get()
              .then((QuerySnapshot querySnapshot) {
            querySnapshot.docs.forEach((doc) {
              registeredDate = doc['registeredDate'];
              print(doc['registeredDate']);
            });
          });
        }

At Firestore's index creator, I configured:

At Firestore's security rules I wrote the following for the signInData collection:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

match /{path=**}/signInData/{options1} {
                  allow create;
                    allow read, write, get, update: if request.auth != null;
                } 

       }
}

Despite all of the above an error occurs and the error message is:

W/Firestore(16490): (24.7.0) [Firestore]: Listen for Query(target=Query( collectionGroup=signInData where userID==XXXXXXXXXXXXXXXXXXX order by __name__);limitType=LIMIT_TO_FIRST) failed: Status{code=PERMISSION_DENIED, description=Missing or insufficient permissions., cause=null}
E/flutter (16490): [ERROR:flutter/runtime/dart_vm_initializer.cc(41)] Unhandled Exception: [cloud_firestore/permission-denied] The caller does not have permission to execute the specified operation.

I'd like to understand what I have done wrong and whether Google has again updated the configuration of collection-group queries. Can you assist me please?

With thanks.

Answer 1

It turns out that Google's security rules for collection-group queries was the only update to collection-group queries for Firestore since my March 2023 enquiry.

The problem leading to the error I was receiving was due to my security rules disallowing writes when new users were being registered - this led to the Flutter written query never finding a user in Firestore with the same uid as the current user as well as the completion of the code that followed.

After updating my security rules everything was fine.

Thank you Alex Mamo for your contribution to my findings and the resolution of this issue : )