Firebase security rules - delete rule not working

0
votes

I'm trying to configure my firestore security rules so that all users can read data, but only logged in users can make posts and delete their own posts. The delete functionality isn't working and produces the following error:

FirebaseError: Missing or insufficient permissions.

I've configured my security rules as follows:

rules_version = '2';
service cloud.firestore {
    match /databases/{database}/documents{
  match/gig-listing/{document = **} {
  allow write: if request.auth.token.admin ==true;
  allow delete: if isAuthenticated() && request.auth.uid == resource.data.userId;
  allow read;
  }
  }
}

function isAuthenticated(){
return request.auth != null;
}

..and the component controlling deletions is as follows:

import React, {useState, useEffect} from 'react'
import Giglisting from './Giglisting'
import Button from "@material-ui/core/Button";
import { withStyles } from '@material-ui/core/styles';
import firebase from 'firebase'

const StyledButton = withStyles({
    root: {
      background: '#54ADA6',
      borderRadius: 3,
      border: 0,
      color: 'white',
      height: 30,
      padding: '0 30px',
      marginRight: '1px'
      
    },
    label: {
      textTransform: 'capitalize',
    },
  })(Button);


const UniqueVenueListing = (props) => {
    
const gigList = props.gigList
const ref = firebase.firestore().collection('gig-listing')

const deleteGig = (gigs) => {
    ref
    .doc(gigs.id)
    .delete()
    .catch(err => {
        console.error(err)
    })
}

    return(
        <div>
          {
              gigList.map(gigs => {
                  let name = gigs.data().name
                  let genre = gigs.data().genre
                  let time = gigs.data().time
                  let tickets = gigs.data().tickets
                  let price = gigs.data().price
                 return <Giglisting
                 gigtitle = {name}
                  genre = {genre}
                  time = {time}
                  buytickets = {tickets}
                  price = {price}
                  button = {<StyledButton onClick ={() => deleteGig(gigs)}>Delete Gig</StyledButton>}
                  />
              })
            }
        </div>
    )
}

export default UniqueVenueListing

I also tried allow delete: if request.auth.token.admin ==true;, with no luck. Any suggestions?

1
javascriptfirebasegoogle-cloud-firestorefirebase-security
Your rules depend on the contents of the existing document, which we can't see. Please edit the question to show all of the data involved, including the uid which you log from your code, and the userId field of the document you're trying to delete. There should be enough information in the question so that we can reproduce the behavior.Doug Stevenson

1 Answers

0
votes

You could try with the following security rules configuration in order to avoid any conflicts with the write rule you have defined on the security rules configuration you shared. Notice that by breaking the write rule through its granular operations you can isolate the delete rule and get the desired behavior. Find all the relevant information here

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Matches any document in the 'gig-listing' collection or subcollections.
    match /gig-listing/{document=**} {
      // Allow everyone to read documents in the 'gig-listing' collection 
      //or subcollections
      allow read;
      //Separating the write functionality as per granular operations 
     //to isolate the delete command
      allow delete: if request.auth.uid == resource.data.userid;
      allow create, update: if request.auth.uid != null;
    }
  }
}

I found this other section of the documentation very useful for defining security rules and how to query data.