Missing or insufficient permissions when writing to Firestore using field in access rules
I am getting an error when attempting to write to Firestore.
I am attempting to use a field containing the user uid for my security rule.
service cloud.firestore {
match /databases/{database}/documents {
match /messages/{document=**} {
allow read: if resource.data.user_uid == request.auth.uid;
allow write: if resource.data.user_uid == request.auth.uid;
}
}
}
If I have data in my Firestore database, the read rule works fine - but when I attempt to write I get: Error: Missing or insufficient permissions.
Is there something I'm doing wrong with this write rule?
P.S. If I change my rule to this, I'm able to write to my database - but this isn't secure enough for my purposes:
match /messages/{document=**} {
allow read: if resource.data.user_uid == request.auth.uid;
allow write: if request.auth != null;
}
Answer
resource.data refers to the data already stored, so your rule allowed users to only update data that already includes their user ID.
What you probably want to check is request.resource.data which is the new data coming in.
There's a rather extensive document about those fields and other security rules here: https://firebase.google.com/docs/firestore/security/rules-conditions