0

I am new to firebase, and am a bit stuck with the rules.

My app is essentially a blog-site. It allows non-logged in to read posts, users, comments. It also allows logged-in and verified users to create a post.

Here are my rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read: if true;
      allow write: if request.auth.uid != null;
    }
  }
}

Firebase sends me emails that these are not secure due to "any user can read your entire database". Is there something I am missing? As I want people to be able to read the data without being logged in?

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
KJParker
  • 710
  • 2
  • 9
  • 26
  • 1
    You have given read access to everyone. This could be an issue if you have some sort of credentials or personal stuff stored. But you voluntarily want everyone to read your data so shouldn't be a problem. I've never seen an email like that before. Would appreciate if you post a screenshot of it. – Dharmaraj Apr 30 '20 at 14:20

2 Answers2

2

I believe you're still getting that due to, based on the "if true" logic, any user has the ability to read anyone else's "stuff." What you could do is add some functions within the match database documents that return more tailored tests. You really want to avoid an open database in Firestore, so part of that is by design, in-terms of that e-mail you're getting. I went through this same issue myself, and ended up moving over to Mongo for that particular use case.

However, if you want to keep it open, you can turn off the alert emails from the console. Click on Firebase alerts in the top-right, click settings (gear), select your project, just choose which you want to receive. I know those alerts can get annoying, haha, but it's Google's way of trying to help :) good luck!

awilliams
  • 36
  • 7
2

Firebase prefers that you call out each collection individually in your security rules to allow access, rather than use a wildcard to match everything. They have no way of knowing if you actually have some private data in a collection and are accidentally giving access to it. By specifying rules for each collection separately, you are being very clear and specific about the access for each one of them.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • Ah ok I see. So if I did infact have some personal information in say, the users collection. I would write a rule which makes it so not everyone can read that personal information, only the owner. However, in my case it is all public by design so, it is "ok" to ignore this warning for now? – KJParker May 01 '20 at 12:11