0
votes

I have noticed this strange behaviour when performing a query to a firestore database. Basically I am trying to read one document with a specific documentid that matches the uid from the current logged user. When I perform the query I get PERMISSION DENIED and the path to the document does not match any document in that collection.

This is the query executed

Firestore _firestore = Firestore.instance;

And inside a StreamBuilder

_firestore.collection('roleusers').document(uid).snapshots()

Now this is the error

W/Firestore( 8177): (21.3.0) [Firestore]: Listen for Query(roleusers/B70tIEbiEkXobNLZ049j) failed: Status{code=PERMISSION_DENIED, description=Missing or insufficient permissions., cause=null}

And these are the documents inside the roleusers collection. roleusers collection

As you can see none of the documents in the picture matches the documentid pointed by the error.

EDIT: These are my firestore rules:

  match /roleusers/{roleusersID} {
        allow read: if isAdmin(request) || request.auth.uid == roleusersID;
        allow write: if isAdmin(request) || request.auth.uid == roleusersID;
        allow create: if isSignedIn();

      match /roleusers/{roleusersId}/orders/{orderID} {
        allow read: if isAdmin(request) || request.auth.uid == roleusersID;
        allow write: if isAdmin(request) || request.auth.uid == roleusersID;
      }

    }

    match /{path=**}/orders/{orderID} {
        allow read: if isAdmin(request) || isOwner();
        allow update: if isAdmin(request)
        allow create: if isOwner();
    }

where isOwner is this function

function isOwner(){
        return get(/databases/$(database)/documents/roleusers/$(request.auth.uid)).data.id == 
        request.auth.uid
    }

EDIT2: To explain a little further why I wrote the rules like this: my main goal is to allow users to read only their own document and only write to their own document. Admins instead can perform any actions on any users document. Creation of documents in roleusers is allowed to any authenticated users because when a new user open the app it will write the information on the db.

The nested rule purpose is to allow the user to read from the subcollection orders inside his document in roleusers

And the last rule, with the recursive wildcard, is needed to perform a collectionGroup query to get all the orders from all the users.

I have some doubt that the function isOwner() is actually working

EDIT3: This is the isAdimn() function

function isAdmin(request) {
  return request.auth.uid == "F7Ech2v4GpgFfSYpA1HRASYpQTD3"
  || request.auth.uid == "103162704257974620268"
}
1
Permission denied doesn't have anything to do with presence or absence of the document. It has to do with security rules. Please edit the question to show the security rules you have active for Firestore.Doug Stevenson
I don't see isAdmin. Please edit to show the complete set of rules, and help understand how your query matches the rules.Doug Stevenson

1 Answers

1
votes

this is because the firebase security rules. please read this Official Firebase Docs. it explains how to fix this. https://firebase.google.com/docs/firestore/security/get-started