Firestore Group Query does not work Permission Denied

1
votes

I have the following situation in my project. I'm using Angular Firestore to get a groupCollection of users detailed information.

My database collection hierarchy looks like this.

users/{userId}/personalInfo/{document}

I created a group index for personalInfo in Firestore.

When I reset my rules to default like putting

match /{document=**} {
  allow read, write: if false;
}

at the end of my rules, it works and I am able to query every personalInfo document.

But as soon as I try to set any rule to protect this groupCollection I get this "permission denied" message.

The most simple rule I tried to set at bottom of my rules looks like that.

match /users/{userId=**}/personalInfo/{doc} {
  allow read, write: if true;
}

But unfortunately, I get this permission denied message and don't know why.

Inside my UserService, I'm using Angular Firestore to simply execute the collectionGroup query.

constructor(private afs: AngularFirestore) {}
    
public getUsersDetailedInfo() {
  return this.afs.collectionGroup('personalInfo');
}
1
angulargoogle-cloud-firestorefirebase-security
Could you share the complete error trace you are getting? This will help to have a better perspective on the caseHarif Velarde

1 Answers

2
votes

You might want to review the documentation for security rules for collection group queries. It says:

In your security rules, you must explicitly allow collection group queries by writing a rule for the collection group:

  • Make sure rules_version = '2'; is the first line of your ruleset. Collection group queries require the new recursive wildcard {name=**} behavior of security rules version 2.
  • Write a rule for you collection group using match /{path=**}/[COLLECTION_ID]/{doc}.

You can't use a static path segment in front of the collection group path segment. This is becomes collection group queries always try to consider all collections with the given name. You can't constrain the query or rules to just those subcollections nested under "users".

If you want to allow all collection group queries for "personalInfo", it will have to be like this:

match /{path=**}/personalInfo/{doc} {
  allow read, write: if true;
}

Note that all I've really done here is remove the "user" path segment from the match.