Having an issue where firestore security rules are blocking my realtime listeners
Here are the security rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
function isAdmin(uid) {
return get(/databases/$(database)/documents/employees/$(uid)).data["Type"] == "Admin";
}
match /transactions/{transactionID} {
//allow transaction if admin or if the user making the request is the EID of the relevant assignment
allow read, create: if isAdmin(request.auth.uid) ||
get(/databases/$(database)/documents/assignments/$(resource.data.assignment)).data.EID == request.auth.uid;
}
match /threads/{threadID} {
allow read, write: if resource.data.Parties[0] == request.auth.uid ||
resource.data.Parties[1] == request.auth.uid;
}
match /sites/{siteID} {
allow read;
}
match /employees/{employeeID} {
allow read, write: if isAdmin(request.auth.uid) ||
(employeeID == request.auth.uid)
}
match /employees/{employeeID}/EditHistory {
allow read, write: if isAdmin(request.auth.uid) ||
(employeeID == request.auth.uid)
}
match /employees/{employeeID}/Sessions {
allow read, write: if isAdmin(request.auth.uid) ||
(employeeID == request.auth.uid)
}
match /directory/{any} {
allow read;
}
match /assignments/{assignmentID} {
allow read, write: if isAdmin(request.auth.uid) ||
get(/databases/$(database)/documents/assignments/$(assignmentID)).data.EID == request.auth.uid;
}
match /analytics {
allow read: if isAdmin(request.auth.uid);
}
}
}
}
All of my listeners are being blocked with the error "insufficient permissions", but when I try the corresponding get queries in the security rules playground they're allowed.
Here is an example of the query I'm attempting.
firebase.auth().onAuthStateChanged(user => {
if (user) {
unsubscribeTimetrackingListener = firebase.firestore().collection('employees').doc(currentUser.uid).collection("Sessions").where("Date", "==", generateDateStr(0))
.onSnapshot((querySnapshot) => {
fetchHistory();
}, (err) => {
console.error("Timetracking Listener Error: ", err);
})
}
});
Are there any steps I can take from here to attempt to debug why the listeners are being blocked?
Thanks.
I would write your nested security rules as so:
match /employees/{employeeID} {
allow read, write: if isAdmin(request.auth.uid) ||
(employeeID == request.auth.uid)
match /EditHistory/{history} {
allow read, write: if isAdmin(request.auth.uid) ||
(employeeID == request.auth.uid)
}
match /Sessions/{session} {
allow read, write: if isAdmin(request.auth.uid) ||
(employeeID == request.auth.uid)
}
}
In general, granting access to documents is SPECIFIC TO THAT LEVEL - it does NOT automatically extend to allow child levels. The nested rules, above, add access to the nested collections.
You might also write:
match /employees/{employeeID} {
allow read, write: if isAdmin(request.auth.uid) ||
(employeeID == request.auth.uid)
}
match /employees/{employeeID}/EditHistory{histories} {
allow read, write: if isAdmin(request.auth.uid) ||
(employeeID == request.auth.uid)
}
match /employees/{employeeID}/Sessions/{sessions} {
allow read, write: if isAdmin(request.auth.uid) ||
(employeeID == request.auth.uid)
}
[note the addition of {histories} and {sessions}]
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.