Firestore: Missing or insufficient permissions in web

1,736 views
Skip to first unread message

José Manuel Alarcón

unread,
Apr 25, 2018, 10:18:34 AM4/25/18
to Firebase Google Group
Hello,

I'm having some problems with the firestore security rules, in web I can only write but not read, and in nodejs I can do both.

My security rules are:

match /items/{item} {
      // Applies to writes to nonexistent documents
      allow create: if true;

      // Applies to writes to existing documents
      allow update: if incomingData().user == existingData(). user;

      // Applies to delete operations
      allow delete: if false;
      
      allow read: if incomingData(). user == existingData(). user;
}

In nodejs with firebase-admin: v5.12.0 this works fine:

admin.firestore().collection('items').where('user', '==', userId).get().then(snapshot => {...

In web, the same gives me "Error getting documents:  Error: Missing or insufficient permissions.":

firebase.firestore().collection('items').where('user', '==', userId).get().then(function(querySnapshot) {...

In web I am using v4.10.1 and also tried v4.6.2.

Also, in web I can write documents without any problem:

firebase.firestore().collection('items).doc(userId+"_"+itemId).set(data)

All values of userId are ok, I'm really stuck, does anyone know what can be happening?

Thanks.

Samuel Stern

unread,
Apr 25, 2018, 11:20:35 AM4/25/18
to fireba...@googlegroups.com
Hi Jose,

A few things:

  • The Node.js SDK authenticates with a service account, which means security rules are not checked.  This is why we call them "Admin" SDKs as they should be used only in trusted environments for administrative tasks.
  • I think the problem in your rules is here: allow read: if incomingData(). user == existingData(). user;
    • What is your definition for incomingData() and existingData() ?
    • This rule does not really make any sense, there is no "incoming data" on a read request.  What is your intention for this rule?  I can probably help you rewrite it.
- Sam

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/c6c16acb-5d26-4531-b8fe-11dbd678061a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

José Manuel Alarcón

unread,
Apr 25, 2018, 12:50:51 PM4/25/18
to Firebase Google Group
Hello Sam,

Thanks for the reply.

I forgot to put the functions:

function existingData() {
    return resource.data;
}
function incomingData() {
    return request.resource.data;
}

What I am trying to do is to make the use of "where('user', '==', userId)" mandatory. My app can be used without authentication (users not registered get a random userId), so the users should only be able to read their own data. That is what I am trying to do with "allow read: if incomingData().user == existingData(). user", to allow only read if you know the userId.

Regards,
Reply all
Reply to author
Forward
0 new messages