Firestore security rules allow one document to be public

Question

I'm working on an Angular app using Firestore here I have a bookings functionality. I want users to publicly read and write to bookings if there provided reference_no exists within one of the documents.

Here is how my document is structured:

These are my current security rules:

service cloud.firestore {
  match /databases/{database}/documents {

   match /jobs/{job} {
        allow read, write: if request.resource.data.property.reference_no == resource.data.property.reference_no;
   }

   match /{document=**} {
      allow read, write: if isSignedInUser();
    }

    //functions

    function isSignedInUser(){
        return request.auth.uid != null;
    }
  }
}

This is how I'm querying this:

findByReferenceNo(reference_no): Observable < any > {
  return this.afs
    .collection(this.jobsCollection, ref => ref.where('property.reference_no', '==', reference_no))
    .snapshotChanges()
    .pipe(
      map((actions) => {
        return actions.map((snapshot) => {
          const data = snapshot.payload.doc.data();
          const id = snapshot.payload.doc.id;
          return {
            id,
            ...data
          };
        });
      })
    );
}

But not sure why I'm getting: Error: Missing or insufficient permissions. Note: I'm not signed in while accessing this.

Answer 1

As far as I know, in order to guarantee query performance, Firestore security rules validate your query and not each individual document. This means that a query is only allowed if the rules can validate that the query won't retrieve more data than is allowed.

In your current model that is simply not possible, because it would require that the security rules check each individual document. For some examples of queries that can be secured, have a look at the Firestore documentation on securing queries .