Search
Search

Locking a document with firebase rules

Cristóbal Felipe Fica Urzúa Published at Dev
6
Cristóbal Felipe Fica Urzúa

I have this set of rules in firestore

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
  
    match /{document} {
      allow read: if true;
      allow write: if isTrustworthy();
    }
    match /stores/{storeId}{
      match /{document} {
        allow read: if true;
        allow write: if isTrustworthy();
      }
      match /departures/{departureId} {
        allow read: if true;
        allow write: if !(resource.data.locked);
      }  
    }
        
    function isTrustworthy(){
      return isSignedIn() && emailVerified();
    }
    
    function isSignedIn() {
      return request.auth != null;
    }
    function emailVerified() {
      return request.auth.token.email_verified;
    }
  }
}

but I get an error when setting, updating or deleting in the departures path.

eg.

this.afs.collection('stores').doc(this.auth.store)
   .collection('departures')
   .doc(element.shipping.trackingNumber.toString())
   .set({"test":true})

the document is not existent, but it won't work neither if the document exist, independent of the parameter "locked" I got the following error:

ERROR Error: Uncaught (in promise): FirebaseError: [code=permission-denied]: Missing or insufficient permissions.

FirebaseError: Missing or insufficient permissions.

What I need is that if the document has a parameter "locked" set to true, it cannot be deleted, updated, nor set with {merge:true} option.

any help will be much appreciated.

l1b3rty

There are a few issues with your rule and code:

  1. On create, resource.data does not exist
  2. On update or delete, it could be that the field locked does not exist
  3. When you use set to create or update a document in Firestore, you have to add the options {merge: true}, to update the document instead of overwriting it in case it already exists.

Try this instead:

  • Code:

    this.afs.collection('stores').doc(this.auth.store)
  .collection('departures')
  .doc(element.shipping.trackingNumber.toString())
  .set({"test":true}, {merge: true})

  • Rules:

    match /departures/{departureId} {
  allow read: if true;
  allow create: if true;
  allow update, delete: if !resource.data.get("locked", false);
}

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at
0

Comments

0 comments
Login to comment

Related

Cloud Firestore document locking

Firebase Security Rules -- using attribute from User document

Firebase "read" rules executing even when no document is found in a query result

Firebase security rules: allow 'get' when document has a specific field

Firebase Security Rules: Allow if user uid exists in a collection as a document

how do you access a variable in a firebase document in the security rules?

Firebase database rules, only allow delete if the document property equals the authenticated user id

Why are my Firebase Firestore Security Rules allowing a .set() operation on an existing document, but the .set() has missing fields

Firebase (firestore) rules: ensure update only if another document is updated (FieldValue increase)?

Why don't my Firebase Firestore rules allow access when I use a document path?

Document field locking using iText7

Firebase security rules for Firebase events

Insecure rules in firebase

Firebase security rules like this?

Firebase rules for comment on a post

Firebase Database Rules for groups

Firebase Realtime Database - Rules

Firebase Rules for all users

Firebase storage rules charges

Firebase rules change

Wildcard in Firebase database rules

Firebase security rules not working

Firebase Rules wildcard Key

Having trouble with firebase rules

Firebase nested indexing rules

Firebase Security Rules for Storage

Firebase Rules syntax error

What are the ProGuard rules for Firebase?

Firebase Authentication and Database Rules

TOP Ranking

  1. 1

    pump.io port in URL

  2. 2

    Failed to listen on localhost:8000 (reason: Cannot assign requested address)

  3. 3

    How to import an asset in swift using Bundle.main.path() in a react-native native module

  4. 4

    How to use HttpClient with ANY ssl cert, no matter how "bad" it is

  5. 5

    Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

  6. 6

    Modbus Python Schneider PM5300

  7. 7

    What is the exact difference between “ use_all_dns_ips” and "resolve_canonical_bootstrap_servers_only” in client.dns.lookup options?

  8. 8

    Loopback Error: connect ECONNREFUSED 127.0.0.1:3306 (MAMP)

  9. 9

    BigQuery - concatenate ignoring NULL

  10. 10

    Is there an option for a Simulink Scope to display the layout in single column?

  11. 11

    Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

  12. 12

    How to define a specific version of macOS in C

  13. 13

    MERGE with DELETE on target with partial match on source?

  14. 14

    Apache rewrite or susbstitute rule for bugzilla HTTP 301 redirect

  15. 15

    Soundcloud API Authentication | NodeWebkit, redirect uri and local file system

  16. 16

    express js can't redirect user

  17. 17

    UWP access denied

  18. 18

    How to Set Particular Area/Region Selected MapView

  19. 19

    split column by delimiter and deleting expanded column

  20. 20

    Center buttons and brand in Bootstrap

  21. 21

    How to design a xml file to display in more screen

HotTag

Archive