I am trying to setup my security rules for my cloud firestore and just can't figure out the problem.
This is my code
Future<List<Document>> getDocumentsForGroup(String groupId) async {
final user = FirebaseAuth.instance.currentUser;
if (user == null) {
throw Exception('User not authenticated');
}
try {
final querySnapshot = await FirebaseFirestore.instance
.collection('Document')
.where('group_ids', arrayContains: groupId)
.get();
return querySnapshot.docs.map((doc) {
final data = doc.data();
return Documents(
...
);
}).toList();
} catch (e) {
throw Exception('Error loading the documents: $e');
}
}
This is a snippet of my security rules, just like in the doc:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Rule for Document collection
match /Document/{document} {
// Allow reads and deletion if the current user owns the existing document
allow read, delete, get: if request.auth.uid == resource.data.user_id;
// Allow creation if the current user owns the new document
allow create: if request.auth.uid == request.resource.data.user_id;
// Allow updates by the owner, and prevent change of ownership
allow update: if request.auth.uid == request.resource.data.user_id
&& request.auth.uid == resource.data.user_id;
}
I am expecting to load the Documents but instead get the above mentioned Exception.
The Exception occurs no matter if there are any Documents or not. The User UID and the user_id from the Document are the same, but as already mentioned the error occurs even if there are no documents at all. The Document contains fields group_ids and user_id.
I know I can just allow all read and write operations, but I am also looking for a prod solution.
I am trying to setup my security rules for my cloud firestore and just can't figure out the problem.
This is my code
Future<List<Document>> getDocumentsForGroup(String groupId) async {
final user = FirebaseAuth.instance.currentUser;
if (user == null) {
throw Exception('User not authenticated');
}
try {
final querySnapshot = await FirebaseFirestore.instance
.collection('Document')
.where('group_ids', arrayContains: groupId)
.get();
return querySnapshot.docs.map((doc) {
final data = doc.data();
return Documents(
...
);
}).toList();
} catch (e) {
throw Exception('Error loading the documents: $e');
}
}
This is a snippet of my security rules, just like in the doc:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Rule for Document collection
match /Document/{document} {
// Allow reads and deletion if the current user owns the existing document
allow read, delete, get: if request.auth.uid == resource.data.user_id;
// Allow creation if the current user owns the new document
allow create: if request.auth.uid == request.resource.data.user_id;
// Allow updates by the owner, and prevent change of ownership
allow update: if request.auth.uid == request.resource.data.user_id
&& request.auth.uid == resource.data.user_id;
}
I am expecting to load the Documents but instead get the above mentioned Exception.
The Exception occurs no matter if there are any Documents or not. The User UID and the user_id from the Document are the same, but as already mentioned the error occurs even if there are no documents at all. The Document contains fields group_ids and user_id.
I know I can just allow all read and write operations, but I am also looking for a prod solution.
Share Improve this question edited Mar 30 at 0:51 Doug Stevenson 318k36 gold badges456 silver badges473 bronze badges Recognized by Google Cloud Collective asked Mar 30 at 0:48 AsuraAsura 31 bronze badge2 Answers
Reset to default 1Your rules are demanding that the query correctly filter on field user_id, but your code only filters on group_ids. Since your query doesn't filter on user_id in a way that satisfies the rules' requirements, the rules simply reject access entirely.
Security rules are not filters (you should read and understand that documentation). Rules will not change the set of resulting documents. Either the query has access to all the requested documents, or none at all, so your query must only request documents that would be allowed by the rules by applying a filter that satisfies the requirements of the rules.
You fetch documents where group_ids contain groupId. But your security rule only checks user_id, not group_ids. If a document matches group_ids but has a different user_id, the read is denied.
Modified:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /Document/{document} {
// Allow read if user is the owner OR in the group_ids array
allow read: if request.auth.uid == resource.data.user_id
|| request.auth.uid in resource.data.group_ids;
// Allow creation only if the user is the owner
allow create: if request.auth.uid == request.resource.data.user_id;
// Allow updates if the user is the owner & prevents changing user_id
allow update: if request.auth.uid == resource.data.user_id
&& request.auth.uid == request.resource.data.user_id;
// Allow delete only for the owner
allow delete: if request.auth.uid == resource.data.user_id;
}
}
}