Cloud FireStore Security Rules

0
votes

I have an app using the Cloud FireStore from Firebase.

It is mainly a website which data is stored on Firestore. By data, I mean text and image displayed on the web site for every user to see.

So I get a mail each day from Firebase telling me my rules are not secured because every user can read every data (which is mainly the goal, if not, they would not see any text on the web site).

I did it this way, because I used the Firebase Authentification for some kind of admin mode of the web site where you can write and update new data.

Currently, my rules are as follow:

rules_version = '2';
service cloud.firestore {

    match /databases/{database}/documents {
        match /{document=**} {
            allow read: if true;
            allow write: if request.auth.uid != null;
          }
    
        match /users/{userId} {
            allow write: if isOwner(userId);
        }
    }
    function isOwner(userId) {
       return request.auth.uid == userId;
    }
}

As a beginner with Firebase, I would appreciate any help.

Cheers

1
angularfirebasegoogle-cloud-firestorefirebase-security

1 Answers

0
votes

So I get a mail each day from Firebase telling me my rules are not secured because every user can read every data (which is mainly the goal, if not, they would not see any text on the web site).

I would not ignore this email as Renaud suggests. Allowing access to every document in the database using recursive wildcards like this: match /{document=**} can lead to unexpected security problems.

Instead, your rules should be explicit about which collections are actually putlic for anyone to query. Just remove the recursive wildcard that matches all documents, and call out each collection individually, and the emails will stop:

    match /databases/{database}/documents {
        match /collection1/{id} {
            allow read: if true;
            allow write: if request.auth.uid != null;
        }
        match /collection2/{id} {
            allow read: if true;
            allow write: if request.auth.uid != null;
        }
        match /users/{userId} {
            allow write: if isOwner(userId);
        }
    }

While you might find this inconvenient, it prevents the possibility that you accidentally allow read access to other data in the future that should not be public.