39

I am getting an error when attempting to write to Firestore.

I am attempting to use a field containing the user uid for my security rule.

service cloud.firestore {
  match /databases/{database}/documents {

    match /messages/{document=**} {
      allow read: if resource.data.user_uid == request.auth.uid;
      allow write: if resource.data.user_uid == request.auth.uid;
    }
  }
}

If I have data in my Firestore database, the read rule works fine - but when I attempt to write I get: Error: Missing or insufficient permissions. Is there something I'm doing wrong with this write rule?

P.S. If I change my rule to this, I'm able to write to my database - but this isn't secure enough for my purposes:

 match /messages/{document=**} {
      allow read: if resource.data.user_uid == request.auth.uid;
      allow write: if request.auth != null;
    }
Dan McGrath
  • 41,220
  • 11
  • 99
  • 130
Leo Farmer
  • 7,730
  • 5
  • 31
  • 47

4 Answers4

31

resource.data refers to the data already stored, so your rule allowed users to only update data that already includes their user ID.

What you probably want to check is request.resource.data which is the new data coming in.

There's a rather extensive document about those fields and other security rules here: https://firebase.google.com/docs/firestore/security/rules-conditions

Scarygami
  • 15,009
  • 2
  • 35
  • 24
  • Thanks that worked. The Firebase docs need updating, they only give the example for read, they should give the example for write too.... – Leo Farmer Oct 08 '17 at 21:08
  • @LeoFarmer there's a rather extensive document about different security rules here: https://firebase.google.com/docs/firestore/security/secure-data – Scarygami Oct 08 '17 at 21:11
  • Wouldn't that allow another user to overwrite your data as long as they try to update it with their uid? Maybe do granular create if doesn't exist and request uid matches, do delete only if existing data uid matches, and update only if both request and existing uid match? – Jason Goemaat Apr 23 '18 at 22:27
  • Hi there, appreciate this! I was wondering if you'd be able to shed on some light on my matter please https://stackoverflow.com/questions/50929366/cloud-firestore-reactjs-error-missing-or-insufficient-permissions ? Thanks very much! – Michael Jun 20 '18 at 14:29
  • link is not valid anymore – Jviaches Jul 25 '18 at 12:25
  • 1
    Fixed the link to the best matching page from the current docs. – Scarygami Jul 29 '18 at 12:12
18

This question and the accepted answer were very useful for me. I ended up using a slightly different set of rules which I'll share here incase someone else finds them useful.

Like the OP, I store a user ID (uid) with my resources. However, when I want to create a new resource, there's no uid yet. Using an example in the documentation I ended up with security rules that look like this:

service cloud.firestore {
  match /databases/{database}/documents {
    match /messages/{document=**} {
      allow read, update, delete: if request.auth.uid == resource.data.uid;
      allow create: if request.auth.uid != null;
    }
  }
}
quicklikerabbit
  • 3,257
  • 6
  • 26
  • 39
4

You can make your database available just for reading and not for writing:

  service cloud.firestore {
    match /databases/{database}/documents {
     match /{document=**} {
       allow read: if true;
       allow write: if false;
      }
   }
}
Ssubrat Rrudra
  • 870
  • 8
  • 20
0

For me this set of code worked for firestore security

 rules_version = '2';
  service cloud.firestore {
   match /databases/{database}/documents {
   match /{document=**} {
   allow read,write: if true;
          }
        }
      }
Mazhar k
  • 221
  • 2
  • 7