Firestore rules & permissions question
19 views
Skip to first unread message
张国彬
Jun 12, 2019, 10:14:16 AM6/12/19
to Firebase Google Group
hello
I have a test collection named dev. The collection has three docs. The names of the dos are name_0, name_1 ,name_2 . The data as below
I think the code may return the doc name_2. This make me confused about the rules.
I create rule for firestore as below
service cloud.firestore {
match /databases/{database}/documents {
match /dev {
allow read : if true
allow write : if true
match /{name} {
allow read : if get(/databases/$(database)/documents/dev/$(name)).data.age>=8
allow write : if true
}
}
}
}I have a test collection named dev. The collection has three docs. The names of the dos are name_0, name_1 ,name_2 . The data as below
{ "name_0": {
"age": 6
},
"name_1": {
"age": 8
},
"name_2": {
"age": 10
}
}
Why the following code throws a permission-denied error?
const collection = firestore.collection('dev')let docs = await collection.where('age', '>', 9).limit(1).get()I think the code may return the doc name_2. This make me confused about the rules.
Any suggestions are welcome.
Thanks
withnate
Kato Richardson
Jun 12, 2019, 11:43:28 AM6/12/19
to Firebase Google Group
Hm, looks like those rules should work. They work for me.
So something doesn't match up with what you've described here.
FYI - you can use `resource.data` in place of `get(/databases/$(database)/documents/dev/$(name)).data`
☼, Kato
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/9bf13ba5-d623-4b78-b502-b0a73666c3e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Phanindra PVS
Jun 13, 2019, 10:57:41 AM6/13/19
to Firebase Google Group
when Cloud Firestore applies your security rules, it evaluates the query against its potential result set, not against the actual properties of documents in your database. If a query could potentially include documents that violate your security rules, the query will fail.
So you can't read the document if the get() returns the document with age less than 9. it gives you permission error.
Ex:
const collection = firestore.collection('dev')
let docs = await collection.where('age', '>', 5).limit(1).get() ---- it gives an permission error.
Because in the result set you have doc with age 6 ,8
service cloud.firestore {
match /databases/{database}/documents {
match /databases/{database}/documents {
match /dev /{name} {
Kato Richardson
Jun 13, 2019, 1:14:09 PM6/13/19
to Firebase Google Group
Hello Phanindra, while your assessment of "potential results" is correct, your conclusion about queries is not entirely true; Firestore differs from Realtime Database slightly in this regard.
See the security doc section on security rules are not filters. You'll find that the query is okay, as long as it matches the potential results. Note that I provided a working sample matching the rules and the query presented.
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/e2639620-cd56-4e87-a9f2-6ffbf68912df%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages