Insecure Security rules for Cloud Firestore

Question

I always get the mail about my Cloud Firestore security rules being insecure.

Every user can read the whole database

But I don't get it? These are my rules:

service cloud.firestore {
    match /databases/{database}/documents {
        match /users/{userID} {
            allow read;
            allow write: if request.auth != null;
        }
        match /users/{userId}/wishlists/{restOfPath=**} {
            allow read,write: if request.auth != null;
        }
    }
}

users should be readable for everyone but everything else should be restricted to authorized users only. What am I missing here?

I think this is just a warning from Firestore, it is recommended to try to avoid such scenarios when you need to open access to your db to all users. You can read more about rules here — Emil Gi

Manu8170 Manu8170 · Accepted Answer · 2020-11-05T10:58:33

I am surprised by the "allow read;" line. You can replace it with "allow read: if true;"

And it is safer to start your rules file with:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;  // General rule that protects access to documents not covered by the next rules
    }

Insecure Security rules for Cloud Firestore

1 Answers