firestore: PERMISSION_DENIED: Missing or insufficient permissions

Question

I am getting the Error

gettingdocuments.com.google.firebase.firestore.FirebaseFirestoreException: PERMISSION_DENIED: Missing or insufficient permissions.

for the below code on else statement

db.collection("users")
    .get()
    .addOnCompleteListener(new OnCompleteListener<QuerySnapshot>() {
        @Override
        public void onComplete(@NonNull Task<QuerySnapshot> task) {
             if (task.isSuccessful()) {
                 for (DocumentSnapshot document : task.getResult()) {
                     s(document.getId() + " => " + document.getData());
                 }
             } else {
                 s("Error getting documents."+ task.getException());
             }
         }
     });

Have you set the rules under Security Tab in Firebase Console? — Suhayl SH, Oct 05 '17 at 16:11
My mistake, I didn't see the drop box for the cloud firestore. I was checking in realtime database only. — SUHAS REKHU, Oct 05 '17 at 16:31
https://stackoverflow.com/questions/67048409/reading-from-cloud-firestore-missing-or-insufficient-permissions-in-xamarin-fo — AspiringApollo, Apr 12 '21 at 14:28
There is some useful information written in this article, [How to fix Firestore Error: PERMISSION_DENIED: Missing or insufficient permissions](https://medium.com/firebase-tips-tricks/how-to-fix-firestore-error-permission-denied-missing-or-insufficient-permissions-777d591f404), that might help. — Alex Mamo, Jun 17 '21 at 11:25
I used all possible solutions from this topic - neither of them helped me get rid of this error i my android app. However, for my colleague everything just works fine. — Lingviston, Jan 02 '23 at 12:50
if you've accidentally deleted the permission that are firebase-service account then follow this: https://stackoverflow.com/a/76790535/14190819 — Ammar, Jul 28 '23 at 19:27

Luvnish Monga · Accepted Answer · 2021-10-27T09:18:42.843

473

Go in Database -> Rules ->

For development:

Change allow read, write: if false; to true;

Note: It's quick solution for development purpose only because it will turns off all the security. So, it's not recommended for production.

For production:

If authenticated from firebase: Change allow read, write: if false; to request.auth != null;

edited Oct 27 '21 at 09:18

answered Oct 25 '17 at 06:44

Luvnish Monga

7,072
3
23
30

77

note it allows everybody to read,write your database without any authorization. – saigopi.me Sep 12 '18 at 11:26
228

This is a horrible solution, this literally just disables security. Go read this instead: https://firebase.google.com/docs/firestore/security/get-started – Duncan Lukkenaer Oct 30 '18 at 15:21
2

@ojonugwaochalifu because this is working for everyone – Luvnish Monga Jan 02 '19 at 10:22
26

Like @DuncanLuk said, it's a terrible solution. I wouldn't even call it a solution – Ojonugwa Jude Ochalifu Jan 03 '19 at 06:51
1

A quick and correct answer for people who just read about Firestore from guides (even official ones) that mentions nothing about this. – rlatief Feb 08 '19 at 04:59
1

I think it's a very useful solution if you're new to firebase, but not a good one as the app development progresses. – Joshua May 22 '19 at 23:15
19

Best solution to get started really fast. Security concerns could be fixed later actually. – Viacheslav Dobromyslov Aug 25 '19 at 00:51
this is not a solution, the solution below by @Md Nakibul Hassan should be the correctly accepted answer. – Thr3e Sep 02 '19 at 09:11
11

This is NOT a solution. "I'm having issues with security rules, let's just disable them altogether!" – TheRyan722 Nov 18 '19 at 22:00
Note - if you are developing locally you also need to change the contents of the `firestore.rules` file. https://firebase.google.com/docs/firestore/security/get-started#deploying_rules – jlhasson Mar 18 '20 at 14:49
What is the problem if the goal of a db is to get writable and readable by anyone ? For example, if users can posts and read messages wrote by others users without being logged. – Nitneq Jun 17 '20 at 15:39
How does this answer get so many upvotes and how is it accepted as the solution ? It's NOT even a solution. It can be for a start on a local environment, but Firestore rules then need to be set sooner rather than later. – John Doe Apr 13 '21 at 05:58
Please let me know if anyone has a solution for this? – Ask17 Nov 29 '21 at 07:39
Don't forget to put `match /{document=**}` instead of `match/{your previous documents}`. – LoukasPap Dec 29 '21 at 21:52
@LuvnishMonga, I follow the method you provided and still have this problem. How can I solve it please? – My Car Mar 28 '22 at 12:02
@MyCar Please provide a screenshot and mention environment – Luvnish Monga Mar 30 '22 at 06:00
Chiming in to agree that this is not a solution. Security is not something that can easily just be snapped on top of a system—it should be considered from the start, and understanding how firestore rules work with queries is important. – Nathan Jul 05 '23 at 22:04

score 143 · Answer 2 · answered Jan 30 '19 at 16:17

143

Go to Database -> Rules :

Then changed below rules

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

to below

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }
}

answered Jan 30 '19 at 16:17

Md Nakibul Hassan

2,716
1
15
19

36

This is a bad idea, this makes ALL documents writable by ANY authenticated user, even stuff that belongs to other users, stuff that should only be writable by admin or never been writable at all. Please keep the first piece of code as it's a guard against unimplemented security rules. – Noxxys Jun 11 '19 at 12:56
1

Note that if you let people sign up (with Google SSO for example) they will automatically have access to all of your data. – ForrestLyman Aug 14 '19 at 07:29
3

I want to allow my authenticated users (a small number) to access all the documents, so this recipe is perfect for my case. – Andrei Drynov Nov 19 '19 at 13:08

score 75 · Answer 3 · edited Jul 09 '20 at 11:16

So in my case I had the following DB rules:

service cloud.firestore {
  match /databases/{database}/documents {
    match /stories/{story} {
      function isSignedIn() {
        return request.auth.uid != null;
      }
    
      allow read, write: if isSignedIn() && request.auth.uid == resource.data.uid
    }
  }
}

As you can see there is a uid field on the story document to mark the owner.

Then in my code I was querying all the stories (Flutter):

Firestore.instance
          .collection('stories')
          .snapshots()

And it failed because I have already added some stories via different users. To fix it you need to add condition to the query:

Firestore.instance
          .collection('stories')
          .where('uid', isEqualTo: user.uid)
          .snapshots()

More details here: https://firebase.google.com/docs/firestore/security/rules-query

EDIT: from the link

Rules are not filters When writing queries to retrieve documents, keep in mind that security rules are not filters—queries are all or nothing. To save you time and resources, Cloud Firestore evaluates a query against its potential result set instead of the actual field values for all of your documents. If a query could potentially return documents that the client does not have permission to read, the entire request fails.

I get `Invalid variable name: request`. Should `request` be an argument param somewhere? — Ian Davis, Aug 29 '21 at 13:27
hours were just solved with your `.where('uid', isEqualTo: user.uid)` point. Rules are not filters indeed! — Brad P., May 11 '22 at 22:00

score 35 · Answer 4 · answered Sep 16 '20 at 23:21

I also had the "Missing or insufficient permissions" error after specifying security rules. Turns out that the the rules are not recursive by default! i.e. if you wrote a rule like

match /users/{userId} {
  allow read, write: if request.auth != null && request.auth.uid == userId;
}

The rule will not apply to any subcollections under /users/{userId}. This was the reason for my error.

I fixed it by specifying the rule as:

match /users/{userId}/{document=**} {
  allow read, write: if request.auth != null && request.auth.uid == userId;
}

Read more at the relevant section of the documentation.

score 21 · Answer 5 · edited Jul 12 '20 at 04:37

21

If you try in Java Swing Application.

Go To Firebase Console > Project Overview > Project Settings
Then Go to Service Accounts Tab and Then Click on Generate New Private Key.
You will get a .json file, place it in a known path
Then Go to My Computer Properties, Advanced System Settings, Environment Variables.
Create New Path Variable GOOGLE_APPLICATION_CREDENTIALS Value with your path to json file.

edited Jul 12 '20 at 04:37

TuGordoBello

4,350
9
52
78

answered Sep 24 '19 at 08:53

Nadun Liyanage

434
3
5

3

This was my issue too, there's information for this on the [docs](https://firebase.google.com/docs/admin/setup). – tris timb Jan 23 '20 at 02:28

score 20 · Answer 6 · answered Aug 27 '19 at 09:15

20

The above voted answers are dangerous for the health of your database. You can still make your database available just for reading and not for writing:

  service cloud.firestore {
    match /databases/{database}/documents {
     match /{document=**} {
       allow read: if true;
       allow write: if false;
      }
   }
}

answered Aug 27 '19 at 09:15

Ssubrat Rrudra

870
8
20

3

what's the correct way of enabling the permissions, but not for everyone? – nyxee May 21 '20 at 20:04

score 15 · Answer 7 · answered Mar 07 '22 at 09:34

15

Change here
set false to true

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

And publish new rules

answered Mar 07 '22 at 09:34

Rasel Khan

2,976
19
25

3

Do not use this solution. It allows any user to read and write from your bucket. – Joe Moore Aug 17 '22 at 11:26
brother isn't it on develop & testing purpose? and if you don't have any read or write permission then how could you use?? – Rasel Khan Oct 29 '22 at 00:31
`allow read, write if true` allows anyone, authenticated or unauthenticated to read and write from the bucket – Joe Moore Dec 15 '22 at 13:23
4

@JoeMoore tell us a proper solution for this instead of pointing out errors. – Arijeet Mar 13 '23 at 09:05
@actually I also want this too. – Rasel Khan Mar 14 '23 at 08:25
@Arijeet the answer provided by Pasindu Ranasinghe below described how to do this via the correct auth. – Joe Moore Mar 15 '23 at 13:19

score 14 · Answer 8 · answered May 14 '20 at 12:49

14

If someone lands here trying to access Firestore with a service-account:

I solved this issue by granting the service-account the Service Account User role in addition to the Cloud Datastore User role in the IAM settings of GCP.

answered May 14 '20 at 12:49

maxarndt

560
7
16

No need for Service Account User if your user is a service account. – Christian Vielma Nov 19 '20 at 11:24
This didn't work for me. How long does it take to update? – Miguel Coder Jun 14 '23 at 02:01

Anga · Answer 9 · 2018-08-28T13:11:34.667

7

Additionally, you may get this error if the collection reference from your code does not match the collection name on firebase.

For example the collection name on firebase is users, but your referencing it with db.collection("Users") or db.collection("user")

It is case sensitive as well.

Hope this helps someone

edited Aug 28 '18 at 13:11

answered Aug 28 '18 at 08:17

Anga

2,450
2
24
30

Isn't the collection created implicitly? In your example "Users" and "user" collection would get created as and when it is referenced. – Bala TJ Jul 18 '19 at 10:23
Information can be found here. https://codelabs.developers.google.com/codelabs/firestore-android/#3 – Bala TJ Jul 18 '19 at 10:24
1

@DevTJ you're correct when it's an `add` or `set` request, but from the question it's a `get` request. I have experienced this before – Anga Jul 18 '19 at 20:28

score 7 · Answer 10 · answered Dec 22 '22 at 08:42

Approved answer is very dangerous as anyone can read or write to your database without any permission. I suggest using this.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow write: if request.auth != null;
      allow read: if true;
    }
  }
}

This will allow authorized personnel to write the database while anyone can read the database which in case visitors to the website.

score 6 · Answer 11 · answered Nov 10 '19 at 16:24

npm i --save firebase @angular/fire

in app.module make sure you imported

import { AngularFireModule } from '@angular/fire';
import { AngularFirestoreModule } from '@angular/fire/firestore';

in imports

AngularFireModule.initializeApp(environment.firebase),
    AngularFirestoreModule,
    AngularFireAuthModule,

in realtime database rules make sure you have

{
  /* Visit  rules. */
  "rules": {
    ".read": true,
    ".write": true
  }
}

in cloud firestore rules make sure you have

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

score 6 · Answer 12 · answered Oct 04 '22 at 20:50

There are lots of good answers, but as this is the top Google response for Firestore permission denied errors, I thought I would add an answer for beginners and rookies.

Why Security Rules?

If you wrote your own backend, you would have users ask your server for something, and the server would decide what they are allowed to do. For example your server wouldn't allow user1 to delete all of user2's data.

But since your users are interacting with Firebase directly, you can't really trust anything your users are sending you. User1 could just change the user id on his delete request to 'user2' for example.

Firestore Security Rules are where you tell Firestore aka your backend server, who is allowed to read and write what data.

This video from the Firestore team is extremely helpful.

https://www.youtube.com/watch?v=eW5MdE3ZcAw

If you are hitting 'missing or insufficient permissions' errors I would strongly suggest you watch the full 22 minutes of this video, before you try anything else.

I went from 1/10 to 7/10 understand of how the security rules work, and why I was getting the error from this video alone.

The getting started guide is also useful and can help answer questions the video doesn't cover. https://firebase.google.com/docs/firestore/security/get-started

score 5 · Answer 13 · answered Feb 22 '23 at 09:54

5

For development and Test

From:

To:

answered Feb 22 '23 at 09:54

mohammed gamal

299
3
4

Rodrigo João Bertotti · Answer 14 · 2021-05-04T20:31:09.403

3

I had this error with Firebase Admin, the solution was configure the Firebase Admin correctly following this link

edited May 04 '21 at 20:31

answered Apr 02 '20 at 19:15

Rodrigo João Bertotti

5,179
2
23
34

score 2 · Answer 15 · answered Nov 13 '17 at 18:17

2

make sure your DB is not empty nor your query is for collection whom not exist

answered Nov 13 '17 at 18:17

itzhar

12,743
6
56
63

13

This exception has nothing to do with empty collection or db, it's a permission issue – Ojonugwa Jude Ochalifu Dec 31 '18 at 10:08
This exception has nothing to do with empty Db etc. Problem with security rules and Auth. – Rehan Ali May 08 '19 at 15:59
1

Me & at least 3 others have this exception on this scenario. If it's not help you, move on to the next solution – itzhar Mar 09 '20 at 01:01

score 2 · Answer 16 · answered Feb 25 '20 at 23:33

2

Check if the service account is added in IAM & Admin https://console.cloud.google.com/iam-admin/iam with an appropriate role such as Editor

answered Feb 25 '20 at 23:33

Pramendra Gupta

14,667
4
33
34

score 2 · Answer 17 · answered Mar 28 '20 at 08:47

2

the problem is that you tried to read or write data to realtime database or firestore before the user has be authenticated. please try to check the scope of your code. hope it helped!

answered Mar 28 '20 at 08:47

dova dominique kabengela

19
2

Richardd · Answer 18 · 2020-08-15T21:05:35.970

2

At this time, June 2020, by default the firebase is defined by time. Define the time to meet your needs.

allow read, write: if request.time < timestamp.date(2020, 7, 10);

Please note: your DB still open to anyone. I suggest, please read the documentation and configure the DB the way that is useful for you.

edited Aug 15 '20 at 21:05

answered Jun 11 '20 at 13:00

Richardd

956
14
27

This is not even a solution, this is kinda a joke. Who wants to use their database only to a certain time while everyone can access it? – GLHF Feb 11 '23 at 14:38

score 2 · Answer 19 · answered Jul 11 '20 at 20:05

time limit may be over

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    // This rule allows anyone on the internet to view, edit, and delete
    // all data in your Firestore database. It is useful for getting
    // started, but it is configured to expire after 30 days because it
    // leaves your app open to attackers. At that time, all client
    // requests to your Firestore database will be denied.
    //
    // Make sure to write security rules for your app before that time, or else
    // your app will lose access to your Firestore database
    match /{document=**} {
      allow read, write: if request.time < timestamp.date(2020,7, 1);
    }
  }
}

there change date for nowadays in this line:

 allow read, write: if request.time < timestamp.date(2020,7, 1);

score 2 · Answer 20 · answered Jun 03 '21 at 19:35

2

Go in Firestore's Database > Rules:

rules_version = '2';
    service cloud.firestore {
      match /databases/{database}/documents {
        match /{document=**} {
          allow read, get: if true;
          allow write: if false;
      }
    }
}

for more informatin: https://firebase.google.com/docs/rules/rules-language?authuser=0

100% working as of now!

answered Jun 03 '21 at 19:35

Bilal Ahmad

781
8
10

https://firebase.google.com/docs/rules/get-started?authuser=0 for even more information! – Bilal Ahmad Jun 03 '21 at 19:38

score 2 · Answer 21 · answered Oct 23 '22 at 03:24

original code:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
          
    }
  }
}

change code:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
       allow read: if true;
       allow write: if request.auth != null;
    }
  }
}

score 2 · Answer 22 · answered Jan 21 '23 at 15:53

After a few days of research, I figured out that Firestore security rule for request.auth is only going to be valid if the request is made client side, after the auth state of the user has been initialized and is set to != null. If your request is (by any chance) requesting for data server side while using request.auth != null as a rule, it will be rejected. Not sure if there is any solution to this yet, but I'll try to find one or come up with one. Do leave a comment if you guys have any ideas.

score 1 · Answer 23 · answered Dec 13 '21 at 15:20

1

maybe you need to remove the date

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if
          request.time < timestamp.date(2021, 12, 12);
    }
  }
}

answered Dec 13 '21 at 15:20

rnewed_user

1,386
7
13

score 1 · Answer 24 · answered Jun 30 '22 at 10:39

Adding another reason for this - AppCheck. I had it enabled on a new project (created ~ May 2022) but hadn't completed the integration steps which caused the "Missing or insufficient permissions" error.

To resolve, first complete the AppCheck setup steps listed under the AppCheck section in Firebase. I used the ReCAPTCHA provider for my web application, you'll need to copy the ReCAPTCHA public key to use in your codebase.

Next add the AppCheck initialisaiton code to wherever you initialise the firebase app. Mine looks like this in React:

  import { initializeAppCheck, ReCaptchaV3Provider } from 'firebase/app-check';

  // ......

  // Initialize Firebase
  const app = initializeApp(firebaseConfig);
  const analytics = getAnalytics(app);

  self['FIREBASE_APPCHECK_DEBUG_TOKEN'] = true;
  // Pass your reCAPTCHA v3 site key (public key) to activate(). Make sure this
  // key is the counterpart to the secret key you set in the Firebase console.
  initializeAppCheck(app, {
    provider: new ReCaptchaV3Provider('PASTE KEY HERE'),

    // Optional argument. If true, the SDK automatically refreshes App Check
    // tokens as needed.
    isTokenAutoRefreshEnabled: true,
  });

Note the FIREBASE_APPCHECK_DEBUG_TOKEN line prints a debug token in your browser console, you'll need to copy this back into the Firebase console under AppCheck to complete the setup, afterwhich you can comment/delete that line.

This fixed my issue.

Further info:

score 1 · Answer 25 · answered Nov 27 '22 at 10:28

To me the problem was that AppCheck was also activated in my Firestore console. So I had to so what the guide stated in the app check Flutter guide

https://firebase.google.com/docs/app-check/flutter/debug-provider?hl=it&authuser=0

Turned on the androidDebugProvider: true, copied the debug token from the console and pasted it in the Firestore section (AppCheck --> app --> add debug token) and it worked immediately.

score 0 · Answer 26 · answered Mar 17 '20 at 10:22

0

https://console.firebase.google.com

Develop -> Database -> Rules -> set read, write -> true

answered Mar 17 '20 at 10:22

Giang

3,553
30
28

Wakas Abbasid · Answer 27 · 2020-06-10T11:11:15.197

0

For me it was the issue with the date. Updated it and the issue was resolved.

Allow read/write:

 if request.time < timestamp.date(2020, 5, 21);

Edit: If you are still confused and unable to figure out what's the issue just have a look at the rules section in your firebase console.

edited Jun 10 '20 at 11:11

answered May 20 '20 at 10:03

Wakas Abbasid

372
2
11

score 0 · Answer 28 · answered Sep 25 '20 at 07:46

0

Go to firebase console => cloud firestore database and add rule allowing users to read and write.

=> allow read, write

answered Sep 25 '20 at 07:46

IBoteju

1

score -1 · Answer 29 · answered Aug 24 '20 at 16:11

GO to rules in firebase and edit rules ..... (provide a timestamp or set to false) My solution.

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.time < timestamp.date(2021, 8, 18);
    }
  }
}

score -1 · Answer 30 · edited Apr 30 '22 at 22:39

I have managed to resolve the issue in my case. I've got 2 errors:

PERMISSION_DENIED: Missing or insufficient permissions.
Cannot enable Firestore for this project.

Steps to fix this issue:

Part 1.

Go to the https://console.firebase.google.com/
Firestore Database -> Delete all collections
Firestore Database -> Rules -> Delete all rules history

Part 2.

Go to the https://console.cloud.google.com/
Find in menu: APIs & Services -> Enabled APIs & Services
Disable 3 services: "Cloud Firestore API”, “Firebase Rules API”, "Cloud Storage for Firebase API”
Find in menu: Firestore -> It will automatically enable "Cloud Firestore API” & “Firebase Rules API” services and will create Firestore Database.
Enable "Cloud Storage for Firebase API”.

The most important thing is to create a Firestore Database from the Google Cloud Console.

score -2 · Answer 31 · answered Jan 04 '22 at 12:49

-2

Go To Apple Certificates, Identifiers & Profiles : Select Your Key Upload firebase and Make Check For : Access the DeviceCheck and AppAttest APIs to get data that your associated

enter image description here

answered Jan 04 '22 at 12:49

islam XDeveloper

393
3
9

firestore: PERMISSION_DENIED: Missing or insufficient permissions

31 Answers31

Why Security Rules?

Linked

Related