Ad

Why Am I Getting Firestore Alerts -> Your Projects Cloud Firestore Database "default" Has Insecure Rules

I want unlogged users of my reactjs webapp to be able to read only "business profile collection".

enter image description here

I have the following db structure. enter image description here

And the following rules:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
    allow read : if true;
      allow  write: if request.auth != null;
    }
  }
}

I am quite new to the firestore rules, i have multiple ways and this is the only one that worked for me.

Ad

Answer

The user Dharmaraj previously mentioned that your rules are allowing any user to read and write to any collection of the database, something you can validate using the rules playground. If that is the desired behavior, then you can ignore these alerts.

However, you said you wanted unlogged users of your app to be able to read only “business profile collections”. You can read the Production-ready rules and its sections, then use the one that is best for you. The way I see it, you should read and use the Attribute-based and Role-based access section and finish with something like this:

service cloud.firestore {
  match /databases/{database}/documents {
    // For attribute-based access control, Check a boolean `admin` attribute
    allow write: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true;
    allow read: true;

    // Alternatively, for role-based access, assign specific roles to users
    match /some_collection/{document} {
     allow read: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == "Reader"
     allow write: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == "Writer"
   }
  }
}

Although, you might want to check them and read them carefully to see if any other option is more suitable for you. I will add the Security Rules language that is needed to understand what your rules are doing and how to Fix insecure rules.

Ad
source: stackoverflow.com
Ad