Search code examples
javascriptfirebasegoogle-cloud-platformgoogle-cloud-firestorefirebase-security

Firestore rules 'Simulated read allowed' but fails in browser


My security rules are super simple. I have two collections - riders and races:

  • riders: can only be read from or written to when the user is signed in
  • races: can be read from by unauthenticated user; written to when user is signed in.
service cloud.firestore {
  match /databases/{database}/documents {    
    // restrict read/write on all to authenticated
    match /{document=**} {
      allow read, write: if request.auth != null;
      
      // then allow collection read if match
      match /races/{id} {
        allow read, list: if true;
      } 
      
    }
  }  
}

These rules allow what appears to be the correct setup using the Firebase consoles Rules Playground but in the browser auth users behave as expected but the unauthed users are returned an error when making a call for a race:

core.js:6456 ERROR FirebaseError: Missing or insufficient permissions.
    at new e (prebuilt-47338342-439a2133.js:188)
    at prebuilt-47338342-439a2133.js:10415
    at prebuilt-47338342-439a2133.js:10416
    at e.onMessage (prebuilt-47338342-439a2133.js:10438)
    at prebuilt-47338342-439a2133.js:10355
    at prebuilt-47338342-439a2133.js:10386
    at prebuilt-47338342-439a2133.js:15146
    at ZoneDelegate.invoke (zone.js:372)
    at Zone.run (zone.js:134)
    at zone.js:1276




// service call

this.racesCollection = this.firestore.collection<Race>('races');

this.racesCollection
      .doc(id)
      .valueChanges()
      .pipe(takeUntil(this.destroy$))
      .subscribe((response: any) => {
        console.log('=== APP SERVICE emits race ===', response);
        this.race.next(response);
      });

I've tried rewriting the rules but cannot seem to find my way around this one. Any help or ideas appreciated! Thanks.


Solution

  • You should write your security rules in such a way they overlap:

    service cloud.firestore {
      match /databases/{database}/documents {    
        // restrict read/write on all to authenticated
        match /{document=**} {
          allow read, write: if request.auth != null;      
        }
    
        // then allow read for the races collection for all users
        match /races/{id} {
          allow read, list: if true;
        } 
    
      }  
    }
    

    In addition, note that list is a "sub-case" of read, so you might remove the list rule, i.e. just do allow read: if true;.


    BTW, the simulator does correctly show that your rules do not allow reading a document in the races collection if you are not authenticated.