Firestore permission error when checking for sub-field in security rules

0
votes

I'm getting "Missing or insufficient permissions" when I have a security rule that checks for a subfield. For example:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /entries/{id} {
      allow read: if resource.data.business.id == "hh7AvLpTbFGRmCGodLV4";
    }
  }
}

The only document I have in entries collection:

{
  "batchId": "bnzVkufp9mM6yGokUYug",
  "business": {
    "id": "hh7AvLpTbFGRmCGodLV4"
  }
}

My query:

firestore()
  .collection('entries')
  .where('batchId', '==', 'bnzVkufp9mM6yGokUYug')

If I changed the security rule to allow read: if resource.data.batchId == "bnzVkufp9mM6yGokUYug", it works fine. Is there something that I missed?

Note:

  • The rule works fine when tested using "Rules playground" in Firebase Console, but failed in production.
  • I have another project that works fine with rules that check for subfield. However, for 2 new firebase projects that I created, it doesn't work.
  • I found a related problem from 2017 (Firestore security rules, nested field). Could this be the same issue re-appearing again?
1
firebasegoogle-cloud-firestorefirebase-security
Please edit the question to show both the exact contents of the document, along with the code that's trying to read it.Doug Stevenson
@DougStevenson, thanks for your quick reply! I updated my question with the info you mentioned.Aris Feryanto

1 Answers

0
votes

One important thing to realize is that security rules are not filters.

Right now, your rule is saying that all queries on the "entries" collection must specify a filter for business.id that equals "hh7AvLpTbFGRmCGodLV4". The query you have now does not have that filter, so the rule is always going to reject it. If you want the query to work with those rules, it will have to be like this:

firestore()
  .collection('entries')
  .where('batchId', '==', 'bnzVkufp9mM6yGokUYug')
  .where('business.id', '==', 'hh7AvLpTbFGRmCGodLV4')