{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 倾城 Initia 的问题《Configure the firestore security rules to allow us》','https://www.manongdao.com/q-672072.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Using firestore with angularfire2 rc 2.
All is working very nicely in development with no effective security rules.
These are the no security rules - where the client code will create, update and delete collections below the $COLLECTION_NAME/document without issue.
service cloud.firestore {
match /databases/{database}/documents {
match /collectionA/{userId=**} {
allow read, write: if true;
}
match /collectionB/{userId=**} {
allow read, write: if true;
}
match /collectionC/{userId=**} {
allow read, write: if true;
}
match /collectionD/{userId=**} {
allow read, write: if true;
}
}
}
Where I want to get to is to only allow users to access their own data.
I started out with the following rules:
service cloud.firestore {
match /databases/{database}/documents {
match /collectionA/{userId=**} {
allow read, write: if request.auth.uid == userId;
}
match /collectionB/{userId=**} {
allow read, write: if request.auth.uid == userId;
}
match /collectionC/{userId=**} {
allow read, write: if request.auth.uid == userId;
}
match /collectionD/{userId=**} {
allow read, write: if request.auth.uid == userId;
}
}
}
However, as soon as I add any sort of restrictive rule including even just validating the request is authorised.
match /databases/{database}/documents {
match /collectionA/{userId=**} {
allow read, write: if request.auth;
}
match /collectionB/{userId=**} {
allow read, write: if request.auth;
}
match /collectionC/{userId=**} {
allow read, write: if request.auth;
}
match /collectionD/{userId=**} {
allow read, write: if request.auth;
}
}
I get code permission errors.
[code=permission-denied]: Missing or insufficient permissions.
FirebaseError: Missing or insufficient permissions.
Each {userId} document contains a collection which in turn contains documents so a full path might be something like
const entryCollection: AngularFirestoreCollection<Entry> = this.angularfirestore.collection('collectionC/' + user.uid + '/records' + '/2017-40' + '/entries');
The requests should be authenticated as the access is only granted in the client following authentication using firebase authentication. Logging indicates the uid is present and indeed when creating the document below collectionA or B or C or D the user.uid document is named using the uid.
In my case, I needed the permissions for creating the user as well so the other solutions did not work for me. I had to also allow access to /users/{userId}. Here is my code:
I resolved this issue like this.
The following setup worked for me (I've used
allChildrenas opposed toallSubcollection):allChildrenwill allow to read/write in any subcollections of a user document.More information on this wildcard matching is here
The short answer is that
{userId=**}results inuserIdbeing apathand not astring. This means that comparing it torequest.auth.uid(which is a string) will fail. Instead, you'll likely want something like:This will guarantee that
userIdis a string, and then match the appropriate subcollections (note that again,allSubcollectionswill be apath).