Firebase Cloud Firestore security rules only allow read not write

votes

I made a simple app for underprivileged students so that they can learn during the Pandemic. I update notes for each subject daily through the firebase console (Cloud firestore). No authentication included because the students are small, and not well versed with technology. I have only allowed read and deleted the write options in the security rules. Last night I got this email. I have added the image copy. I just want everyone to download the app and read the data(Notes) but no one to write. Is my database safe? Can anyone write, delete or manipulate the database if they got the project id?

Soon I'm planning to buy the blaze plan but now I'm a little insecure.

My security rules are as follows:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read;
    }
  }
}

firebasegoogle-cloud-firestorefirebase-security

The Firebase Realtime Database and Cloud Firestore are two separate databases. Please only mark your question with the relevant tag, not with both. – Frank van Puffelen

3 Answers

votes

yes it is safe, and people can only read stuff no one can write to it unless they can access the database directly

votes

it's completely safe, no 1 can write or delete your database, but since the database is open to read to everyone, hence some notorious people might send endless requests to your database and exaust ur daily limit if u using free plan or if u using biling, ur biling cost will sky rocket. so best is to make read permission for authenticated users only, and on app side, u can do anonymous login, so that u don't have to enforce gmail or other login on app side, and unauthenticated users can't exaust ur daily limit, check the following link for anonymous login https://firebase.google.com/docs/auth/android/anonymous-auth

votes

As stated in that email/warning message, the rules you have are not considered secure. As your rules currently stand, a malicious user could abuse your database by calling hundreds of requests to it which may lead to unexpected billing charges.

The trigger for this warning is simple - if "allow read; or "allow write; is present on the /{document=**} path, send the user the warning as these broad rules are considered a bug and should be tightened. One of the main reasons the warning exists is if you store sensitive user data like phone numbers, email addresses, billing information under a /users/someUserId document - with the current rules this is now publicly accessible and can get you in toruble with data privacy laws and regulations like GDPR. There are a number of other similar conditions that also send similar warnings like if the system detects that the default 30 days of read/write access has expired.

If your data is expected to be publicly accessible, rather than grant read access to the entire database, grant it to the specific collections that you want to be public.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    // public database of cars
    match /cars/{carId} {
      allow read;
    }

    // public database of trains
    match /trains/{trainId} {
      allow read;
    }

    // only that user can read/write their own data
    match /users/{userId} {
      allow read: if request.auth != null && request.auth.uid == userId;
      allow write: if request.auth != null && request.auth.uid == userId;
    }
  }
}

I recommend having a read of the fixing insecure rules documentation for more information.

You can also make use of granular rules to limit the queries that can be performed against your database such as limiting getting a list of posts to 10 at a time.