0

I'm having trouble understanding and configuring the Firebase cloud Firestone security rules. I'm using Plugin.CloudFirestore.

My Firebase

With security fully released I can access. See the rule and code:

match /{document=**} {
    allow read: if true;
    allow write: if true
}

 public async Task<IQuerySnapshot> GetCollection(string collection)
{
    var group = await CrossCloudFirestore.Current
                             .Instance
                             .GetCollectionGroup(collection)
                             .GetDocumentsAsync();

    return group;
}

now, with the rule below is not allowed, access is denied for lack of permission:

 match /Categorias/{document=**} {
    allow read: if true;
    allow write: if true
 }

like this: match / Categorias / {document = **} - I can only get data from specifying the document, I can't get the list of documents.

Please help me understand what I'm missing.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
José Donizete Oliveira Junior
  • 39
  • 11
  • 1
    What happens if you do `.GetCollection("Categorias")`, so with a hard-coded name and only getting the single collection and not a group? – Frank van Puffelen Jul 29 '20 at 14:34
  • Hi Frank, with the rules: `match /Categorias/{document=**} { allow read: if true; allow write: if true }` If I specify document it works: `firebase.GetDocument("Categorias", "3");` If I have to return all the docs in the collection: `firebase.GetCollection("Categorias")` Error occurs: PERMISSION_DENIED: Missing or insufficient permissions – José Donizete Oliveira Junior Jul 30 '20 at 01:34
  • If you change to something like this `match /Categorias/{document}`, does it work? Besides that, could you please check if your service account has has total access as clarified [here](https://stackoverflow.com/questions/60500096/firestore-permission-denied-on-basic-requests-xamarin-forms)? Maybe you are using it and it doesn't have all the needed permissions. – gso_gabriel Jul 30 '20 at 06:48
  • Hi gso_gabriel I checked `match /Categorias/{document}` and had the same result. About the service account, that's not it because if I configure the rule `match /{document=**} { allow read: if true; allow write: if true }` I can get GetCollection to work. – José Donizete Oliveira Junior Jul 30 '20 at 09:27
  • Hi @JoséDonizeteOliveiraJunior considering that, I would recommend you to reach out to [Firebase Support](https://firebase.google.com/support) directly, so they can help you check this. Your rules seems to be correct, as well as your account permissions, so they can further investigate your instance. – gso_gabriel Aug 03 '20 at 05:28
  • Hi @gso_gabriel, I will follow your advice. As soon as I have the answer I leave it here. Thanks – José Donizete Oliveira Junior Aug 06 '20 at 12:19

1 Answers1

0

Firebase Support:

I have checked your case and you are using a recursive wildcard, its behavior depends on the rules version, I can see that you are using rules_version = ‘2’, also you are using collection group queries because you use GetCollectionGroup instead GetCollection. Before using a collection group query, you must create an index that supports your collection group query. You can create an index through an error message, the console, or the Firebase CLI. You must also create rules that allow your collection group queries. Your security rules could be:

rules_version = '2';

service cloud.firestore {

match /databases/{database}/documents {

// Authenticated users can query the Categorias collection group

// Applies to collection Categorias and

// single document retrievals

match /{document=**} {

  allow read: if request.auth != null; //These conditions could change 

}

match /Categorias/{document=**} {

  // Only a post's author can write to a post

  allow write: if request.auth != null && request.auth.uid == resource.data.author; //These conditions could change



}

}

}

I don’t know if you are using a recursive wildcard for any particular reason, but checking your data structure, you can simplify your security rules using version 1 and a simple wildcard instead. Also, you should use GetCollection to obtain the collection.

José Donizete Oliveira Junior
  • 39
  • 11