Follow

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Follow
Facebook Twitter Instagram Youtube
Contact

Firestore security rules missing permissions on create new document for new authenticated user

byMR
February 25, 2022

I’m trying to setup a role-based Firestore security rules but I’m stuck with how to create a new document if the incoming data uid matches with the auth uid.

But where to define that incoming uid?

I have tried to initialize the user uid of the new user to my model like this code below but it still missing some permissions.

MEDevel.com: Open-source for Healthcare and Education

Collecting and validating open-source software for healthcare, education, enterprise, development, medical imaging, medical records, and digital pathology.

Visit Medevel 

final personalInfoData = PersonalInfoModel(
   uid: auth.getUid(),
   name: name,
   age: int.parse(age),
);

Here is my code looks like

match /profile/{profileId}/{document=**}{
    allow read: if isSignedIn() && docIdEqualsAuthId(profileId);
    allow create: if isSignedIn() && incomingUidEqualsAuthId();
} 

function isSignedIn(){
    return request.auth != null;
}
    
function docIdEqualsAuthId(profileId){
    return profileId == request.auth.uid;
}

function incomingUidEqualsAuthId(){
    return request.resource.data.uid == request.auth.uid;
}

Here is my controller code :

String getUid() {
  return auth.currentUser!.uid;
}

final personalInfoData = PersonalInfoModel(
  name: name,
  age: int.parse(age),
);

DocumentReference profileCRef =
    firestore.collection("profile").doc(auth.getUid());

try {
  await profileCRef.set({'personalInfo': json}, SetOptions(merge: true));
} on Exception catch (e) {
  print(e);
}

The way I setup my controller is it will create a new document with a document Id of request.auth.uid of the new user.

I want rules to identify if the new user is authenticated and the incoming request to create a profile info must have a valid user id that matches with the auth uid.

If the document still not exists in the database then create a new document with an ID of the uid.

The error I’m getting is this

W/Firestore(14626): (24.0.1) [WriteStream]: (221034) Stream closed with status: Status{code=PERMISSION_DENIED, description=Missing or insufficient permissions., cause=null}.

W/Firestore(14626): (24.0.1) [Firestore]: Write failed at profile/N8CuobvPdHXr40KYgebw52SmOBp2: Status{code=PERMISSION_DENIED, description=Missing or insufficient permissions., cause=null}

>Solution :

The request.resource.data is the data that you are trying to add in the document. Currently uid is not a field in document but a property in personalInfo map. So you must specify path to the field that you are trying to read in security rules. The following should work:

function incomingUidEqualsAuthId(){
    return request.resource.data.personalInfo.uid == request.auth.uid;
}
byMR
Published
Add a comment

Leave a Reply

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use

Read more

Discover more from Dev solutions

Subscribe now to keep reading and get access to the full archive.

Continue reading