Intended behavior

The goal is to rework my security rules such that only an authenticated user can read and write the data of that specific user. This is based on the users UID, which is how we identify individual users (this is done from firebase authentication, so not sure what the problem is).

The error

FirebaseError: Missing or insufficient permissions

Any suggestions on what I can do here would be very much appreciated. I haven't been able to find anything applicable in other questions asked.

Intended behavior

The goal is to rework my security rules such that only an authenticated user can read and write the data of that specific user. This is based on the users UID, which is how we identify individual users (this is done from firebase authentication, so not sure what the problem is).

The error

FirebaseError: Missing or insufficient permissions

Any suggestions on what I can do here would be very much appreciated. I haven't been able to find anything applicable in other questions asked.

• javascript
• firebase
• google-cloud-firestore
• firebase-security

Share Improve this question Follow edited May 25, 2023 at 19:47 EASY EMDR asked Jul 6, 2020 at 21:42 EASY EMDREASY EMDR 1311 silver badge44 bronze badges 1

• 1 When posting about security rules, your question should also contain the code from the client that is being rejected. We need to be able to see that your rules match your query. – Doug Stevenson Commented Jul 6, 2020 at 21:47

Add a ment  | 

3 Answers 3

Sorted by: Reset to default 3

You need to specify that subcollection in your rules

service cloud.firestore {
  match /databases/{database}/documents {

    match /users/{userId} {
      allow read: if request.auth.uid == userId;

      match /practitionerClients/{clientId} {
        allow read: if request.auth.uid == userId;
      }

    }
  }
}

Whenever you add a new sub-collection like that you should usually have to specify it or add a wildcard rule for that path. So instead of the above rule you could do this

service cloud.firestore {
  match /databases/{database}/documents {

    match /users/{userId}/{document=**} {
      allow read: if request.auth.uid == userId;
    }
  }
}

you can read more here

Your rules don't match any documents. You have to retain the match for /databases/{database}/documents that you were given in the initial set of rules, and as shown in the documentation.

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
     allow read: if request.auth.uid == userId;
    }
  }
}

For any persons who still face this issue. If you have subcollection in ff, you may try this option. please allow everyone/auth user to read the subcollection.

How to do that? go to data >> find setting symbol >> scroll down till you meet crud table >> check to allow read >> deploy rules

if you want to undo the rules, just visit firebase or supabase and delete that version of rules.