FlutterFlow - Firestore Security Rules Error on ListView: Missing or insufficient permissions

Question

I'm making a simple todo app. I'm able to add a document (todo) to the database and I'm able to read them, but only if I allow every document to be read, not just mine.

I'm trying to make it so that a ListView only shows me my todos. These firebase rules allow me to see everyone's todos:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /todos/{document} {
      allow create: if request.auth != null;
      allow read: if request.auth != null;
      allow write: if resource.data.owner == /databases/$(database)/documents/users/$(request.auth.uid);
      allow delete: if resource.data.owner == /databases/$(database)/documents/users/$(request.auth.uid);
    }

    match /users/{document} {
      allow create: if request.auth.uid == document;
      allow read: if request.auth.uid == document;
      allow write: if request.auth.uid == document;
      allow delete: if false;
    }
  }
}

When I change the allow read line for the todos so that only matching uids are allowed to be read:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /todos/{document} {
      allow create: if request.auth != null;
      allow read: if request.auth.uid == resource.data.uid;
      allow write: if resource.data.owner == /databases/$(database)/documents/users/$(request.auth.uid);
      allow delete: if resource.data.owner == /databases/$(database)/documents/users/$(request.auth.uid);
    }

    match /users/{document} {
      allow create: if request.auth.uid == document;
      allow read: if request.auth.uid == document;
      allow write: if request.auth.uid == document;
      allow delete: if false;
    }
  }
}

I get this error: Firestore Security Rules Error on ListView: Missing or insufficient permissions.

Any thoughts on what could be causing this? I tried creating a new project in FlutterFlow and I tried creating a new project in Firebase. I get the same issue.

What is your code trying to read. Note that [security rules are not filters](https://firebase.google.com/docs/firestore/security/rules-conditions#rules_are_not_filters) on their own, and your code will have to request only the data it has access to for it to work. — Frank van Puffelen, May 22 '23 at 00:05
And... you are correct! Thank you. The error was feedback that I was trying to grab everything which included documents I shouldn't have access to, per the firebase rules. — tazboy, May 22 '23 at 03:18

score 1 · Accepted Answer · answered May 22 '23 at 03:34

While we'd need to see your code/query to be certain, keep in mind that rules are not filters - but instead Firestore merely uses the rules to ensure your code doesn't read more data than it's allowed. You have to ensure that your code only request data that the rules allow it to access.

Also see:

FlutterFlow - Firestore Security Rules Error on ListView: Missing or insufficient permissions

1 Answers1