I have noticed this strange behaviour when performing a query to a firestore database.
Basically I am trying to read one document with a specific documentid that matches the uid from the current logged user.
When I perform the query I get PERMISSION DENIED
and the path to the document does not match any document in that collection.
This is the query executed
Firestore _firestore = Firestore.instance;
And inside a StreamBuilder
_firestore.collection('roleusers').document(uid).snapshots()
Now this is the error
W/Firestore( 8177): (21.3.0) [Firestore]: Listen for Query(roleusers/B70tIEbiEkXobNLZ049j) failed: Status{code=PERMISSION_DENIED, description=Missing or insufficient permissions., cause=null}
And these are the documents inside the roleusers
collection.
roleusers collection
As you can see none of the documents in the picture matches the documentid pointed by the error.
EDIT: These are my firestore rules:
match /roleusers/{roleusersID} {
allow read: if isAdmin(request) || request.auth.uid == roleusersID;
allow write: if isAdmin(request) || request.auth.uid == roleusersID;
allow create: if isSignedIn();
match /roleusers/{roleusersId}/orders/{orderID} {
allow read: if isAdmin(request) || request.auth.uid == roleusersID;
allow write: if isAdmin(request) || request.auth.uid == roleusersID;
}
}
match /{path=**}/orders/{orderID} {
allow read: if isAdmin(request) || isOwner();
allow update: if isAdmin(request)
allow create: if isOwner();
}
where isOwner
is this function
function isOwner(){
return get(/databases/$(database)/documents/roleusers/$(request.auth.uid)).data.id ==
request.auth.uid
}
EDIT2: To explain a little further why I wrote the rules like this: my main goal is to allow users to read only their own document and only write to their own document. Admins instead can perform any actions on any users document. Creation of documents in roleusers
is allowed to any authenticated users because when a new user open the app it will write the information on the db.
The nested rule purpose is to allow the user to read from the subcollection orders
inside his document in roleusers
And the last rule, with the recursive wildcard, is needed to perform a collectionGroup
query to get all the orders from all the users.
I have some doubt that the function isOwner()
is actually working
EDIT3: This is the isAdimn()
function
function isAdmin(request) {
return request.auth.uid == "F7Ech2v4GpgFfSYpA1HRASYpQTD3"
|| request.auth.uid == "103162704257974620268"
}