I want to create Firebase Firestore rules so that only verified users can read and write into the members collection. But I seem to be unable to write such firesore rules.
I wrote those Firestore rules:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.uid != null;
}
match /users/{userId} {
allow create: if request.auth.uid != null;
allow read: if request.auth.uid == userId;
}
match /members/{document=**} {
allow read, write: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.verified == true;
}
}
}
But they don't seem to be working. Even if I try this, which is the most alarming part:
match /members/{document=**} {
allow read: if false;
}
I can still read the data in my application. I can even update the documents in the Firebase web UI and they will also update in my React-admin app.
Your match /{document=**} match statement overlaps your match /members/{document=**} statement.
And with
match /{document=**} {
allow read, write: if request.auth.uid != null;
}
any authenticated user can read and write to your entire Firestore DB.
See the doc for more details on Overlapping match statements:
It's possible for a document to match more than one match statement. In the case where multiple allow expressions match a request, the access is allowed if any of the conditions is true.
Generally speaking it is not recommended to keep a default match /{document=**} statement. You should write a dedicated set or rule for each collection/subcollection and remove the match /{document=**} statement and rules.