Home > OS >  Firebase cross-service Security Rules not working in application
Firebase cross-service Security Rules not working in application

Time:10-13

I'm trying to use the new Firebase cross-service Security Rules (enter image description here

The same function is working for Firestore Rules to avoid updating certification document if not the creator, without any problem.

It seems to be a problem calling to firestore.get to creatorRef after obtaining it but it not make sense!

Tested:

  1. If I use Firestore Storage Rules validator, it is not failing and it says I have access to that resource from the UID typed in the tester (for other UID is failing as expected). But in my app, even logged in with creator user is getting permission error.

  2. If changing the function to only one call directly to the Users collection id (return firestore.get(/databases/(default)/documents/users/CuutSAtFkDX2F9T8hlT4pjMUByS2).id == request.auth.uid;), it is working in the tester and my app. But it isn't a solution because I need to get first the Users collection ref for the creator!

For original function in the tester It's getting the variables as expected and returning true if simulate the creator UID! But for any reason, in the real app access it is getting unauthorized if making both calls!

CodePudding user response:

Firebaser here!

It looks like you've found a bug in our implementation of cross-service rules. With that said, your example will create two reads against Firestore but it's possible to simplify this to avoid the second read.

Removing the second read

From your post:

return firestore.get(certification.data.creatorRef).id == request.auth.uid;

This line is a bit redundant; the id field is already contained in the certification.data.creatorRef path. Assuming you are indeed using Firestore document references, the format of creatorRef will be /projects/<your-project-id>/databases/(default)/documents/users/<some-user-id>. You can therefore update your function to the following:

function userIsCreator() {
  let certification = firestore.get(/databases/(default)/documents/certifications/$(certification));
  let creatorRef = certification.data.creatorRef;

  // Make sure to replace <your-project-id> with your project's actual ID
  return creatorRef ==
      /projects/<your-project-id>/databases/(default)/documents/users/$(request.auth.uid);
}

I've tested this out in the emulator and in production and it works as expected. The benefit of doing it this way is you only have to read from Firestore once, plus it works around the bug you've discovered.

Page link:https//www.codepudding.com/os/574405.html

Prev:Is it possible that the ID token generated by FCM is a duplicate?
Next:How can I iterate over an array objet in ReactJs?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding