Firestore security rules are failing to enforce restrictions on a particular field

Question

Firestore security rules are failing to enforce restrictions on a particular field

Guidelines:

match /transactions/{transaction} {
  allow read: if request.auth.uid == resource.data.user_id;
}

Data Source:

https://i.sstatic.net/MNLGP.jpg

Database File:

 this.transCollection = afs.collection<Transaction>('transactions',ref => ref.where('cust_id', '==', this.cust_id).orderBy('created','desc'));
     this.transactions = this.transCollection.snapshotChanges().pipe(
       map(actions => actions.map(a => {
         const data = a.payload.doc.data() as Transaction;

         const id = a.payload.doc.id;
         return { id, data };
       }))
     );

Error: core.js:1673 ERROR Error: Missing or insufficient permissions.

typescript firebase google-cloud-firestore firebase-security

Answer 1

Answer №1

Security measures do not automatically filter data; instead, they only permit queries that are guaranteed to match documents within the allowed parameters. If there is any possibility of a query producing results outside the specified permissions, it will be rejected by the security rules.

Your current query filters based on cust_id, but the rules dictate allowances/disallowances based on user_id. This discrepancy means your query is attempting to access documents that exceed your authorization. Because the query could potentially retrieve a document with an incorrect user_id, it is rejected according to the rules. For more information, please refer to https://firebase.google.com/docs/firestore/security/rules-query

In order to address this issue, consider adjusting your rules to accommodate filtering by cust_id as well:

allow read: if request.auth.uid == resource.data.cust_id;

By implementing these revised rules, you align the conditions set by the query and consequently allow for successful reads/listening operations.

Answer 2

Security measures do not automatically filter data; instead, they only permit queries that are guaranteed to match documents within the allowed parameters. If there is any possibility of a query producing results outside the specified permissions, it will be rejected by the security rules.

Your current query filters based on cust_id, but the rules dictate allowances/disallowances based on user_id. This discrepancy means your query is attempting to access documents that exceed your authorization. Because the query could potentially retrieve a document with an incorrect user_id, it is rejected according to the rules. For more information, please refer to https://firebase.google.com/docs/firestore/security/rules-query

In order to address this issue, consider adjusting your rules to accommodate filtering by cust_id as well:

allow read: if request.auth.uid == resource.data.cust_id;

By implementing these revised rules, you align the conditions set by the query and consequently allow for successful reads/listening operations.

Answer 3

Answer №2

After finding the solution, it was discovered that there is nothing wrong with the condition. However, before applying any field-based conditions to the user ID, requests from authenticated users need to be allowed first. Then, you can check if the user ID matches the current user ID:

// Allow a read if request user id is same as resourse user_id
    allow read: if request.auth.uid == resource.data.user_id;

Rules:

match /transactions/{transaction} {
  allow read: if request.auth.uid == resource.data.user_id;
}

ts file:

//Add user_id in where condition 
this.transCollection = afs.collection<Transaction>('transactions',ref => ref.where('user_id', '==', this.user_id).where('cust_id', '==', this.cust_id).orderBy('created','desc'));
     this.transactions = this.transCollection.snapshotChanges().pipe(
       map(actions => actions.map(a => {
         const data = a.payload.doc.data() as Transaction;

         const id = a.payload.doc.id;
         return { id, data };
       }))
     );

Answer 4

After finding the solution, it was discovered that there is nothing wrong with the condition. However, before applying any field-based conditions to the user ID, requests from authenticated users need to be allowed first. Then, you can check if the user ID matches the current user ID:

// Allow a read if request user id is same as resourse user_id
    allow read: if request.auth.uid == resource.data.user_id;

Rules:

match /transactions/{transaction} {
  allow read: if request.auth.uid == resource.data.user_id;
}

ts file:

//Add user_id in where condition 
this.transCollection = afs.collection<Transaction>('transactions',ref => ref.where('user_id', '==', this.user_id).where('cust_id', '==', this.cust_id).orderBy('created','desc'));
     this.transactions = this.transCollection.snapshotChanges().pipe(
       map(actions => actions.map(a => {
         const data = a.payload.doc.data() as Transaction;

         const id = a.payload.doc.id;
         return { id, data };
       }))
     );

Firestore security rules are failing to enforce restrictions on a particular field

Answer №1

Answer №2

Similar questions

Struggling to update a scope variable when utilizing Firebase's Facebook authentication with AngularJS

What is the best way to integrate Firebase storage into a React app on the client side?

Conceal the Angular Material toolbar (top navigation bar) automatically when scrolling downwards

Creating a universal wrapper function to serve as a logging tool?

Updating multiple child nodes simultaneously in Firebase on an Android device

Exploring the mechanics behind optional chaining, known as the Elvis operator, in TypeScript. How does this feature operate within the

The data type 'unknown' cannot be directly converted to a 'number' type in TypeScript

What could be causing the issue preventing me from updating an npm library to the latest version and keeping me stuck with an older version?

Accessing JSON file content from Firebase storage

Typescript: Potential null object error when defining a method

Troubleshooting Cloud Functions: Fixing functions.logger.log not Functioning

What is the solution for fixing the Typescript error in formik onSubmit?

Adding a second interface to a Prop in Typescript React: a step-by-step guide

Retrieving the value of an object using an array of keys

What is the method for confirming whether an emit has been defined?

Exploring the functionality of window.matchmedia in React while incorporating Typescript

Issue encountered when trying to access colors within MUI theme in Typescript

Issues are arising with Angular Form where the FormControl is not being properly set up for the first field in my form

Is it possible to import both type and value on the same line when isolatedModules=true?

Encountering a problem while bringing in screens: 'The file screens/xxx cannot be located within the project or any of these folders.'