Firestore rule not working as expected

Question

I have following rule set up on firestore.

service cloud.firestore {
  match /databases/{database}/documents {
    match /items/{itemid} {
        allow read, write: if request.auth.uid == resource.data.owner;
    }
  }
}

In my Angular service, I am initializing collection as follows:

constructor(private authService: AuthService, private fs: AngularFirestore) {
  this.itemsCollection = this.fs.collection('items', cr => {
    return cr.where('owner', '==', authService.currentUserId);
  });
}

Code to read items:

items() {
  return this.itemsCollection.valueChanges();
}

Code to write item:

addItem(item: ItemEntry): Observable<DocumentReference> {
  item.owner = this.authService.currentUserId;
  return Observable.fromPromise(this.itemsCollection.add(item));
}

The read operation works correctly, but the write operation (addItem) fails with error

Missing or insufficient permissions.

Unable to figure out, why?

Rosário Pereira Fernandes Rosário Pereira Fernandes · Accepted Answer · 2018-03-04T14:10:55

That's because the resource variable:

contains a map of the fields and values stored in a document in resource.data.

This means that resource.data only contains the data that is already stored on the database.

You should use request.resource instead. Because it contains the data being written to the database. Your new rules would look like this:

allow read, write: if request.auth.uid == request.resource.data.owner;

Firestore rule not working as expected

1 Answers