I want to build an iOS app where the users have different permissions to access a document. How can I give the user read/write access when he is an admin, only read when he is a viewer and no access otherwise to a document using Firestore rules? Every user is allowed to create new documents.
My Firebase Rules:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
How I added admin and viewers of each document
When the users email (I'me using Firebase Auth) is on the list, he is admin or viewer.
I'me an iOS Developer and therefor have no experience with Java Script.
Ok, I Am Android Developer but I Have solved your problem You should put a statement in your app to check if an account is Admin or not (example) { The User Input his email, and now we will chick if his account found in admins or viewers so we will use code (it's just example code) Create button invisible and enabled=false FireBase.child("Admins/"+inputuser).addValuelistener.(new AddValueListener....... if(snapshot.getValue.toString!=null){ the user is admin button=visble and enabled=true }else{ the user is viewer } I Hope you understand me
I researched a bit and came up with a solution:
service cloud.firestore {
match /databases/{database}/documents {
match /organizations/{organization} {
allow create: if allowCreate();
allow update, delete: if allowWrite();
allow read: if allowRead();
}
}
function allowCreate () {
return request.auth != null;
}
function allowRead() {
return resource.data.viewers.hasAll([request.auth.token.email]) ||
resource.data.admins.hasAll([request.auth.token.email]);
}
function allowWrite() {
return resource.data.admins.hasAll([request.auth.token.email])
}
}
Related
My security rules are super simple. I have two collections - riders and races:
riders: can only be read from or written to when the user is signed in
races: can be read from by unauthenticated user; written to when user is signed in.
service cloud.firestore {
match /databases/{database}/documents {
// restrict read/write on all to authenticated
match /{document=**} {
allow read, write: if request.auth != null;
// then allow collection read if match
match /races/{id} {
allow read, list: if true;
}
}
}
}
These rules allow what appears to be the correct setup using the Firebase consoles Rules Playground but in the browser auth users behave as expected but the unauthed users are returned an error when making a call for a race:
core.js:6456 ERROR FirebaseError: Missing or insufficient permissions.
at new e (prebuilt-47338342-439a2133.js:188)
at prebuilt-47338342-439a2133.js:10415
at prebuilt-47338342-439a2133.js:10416
at e.onMessage (prebuilt-47338342-439a2133.js:10438)
at prebuilt-47338342-439a2133.js:10355
at prebuilt-47338342-439a2133.js:10386
at prebuilt-47338342-439a2133.js:15146
at ZoneDelegate.invoke (zone.js:372)
at Zone.run (zone.js:134)
at zone.js:1276
// service call
this.racesCollection = this.firestore.collection<Race>('races');
this.racesCollection
.doc(id)
.valueChanges()
.pipe(takeUntil(this.destroy$))
.subscribe((response: any) => {
console.log('=== APP SERVICE emits race ===', response);
this.race.next(response);
});
I've tried rewriting the rules but cannot seem to find my way around this one. Any help or ideas appreciated! Thanks.
You should write your security rules in such a way they overlap:
service cloud.firestore {
match /databases/{database}/documents {
// restrict read/write on all to authenticated
match /{document=**} {
allow read, write: if request.auth != null;
}
// then allow read for the races collection for all users
match /races/{id} {
allow read, list: if true;
}
}
}
In addition, note that list is a "sub-case" of read, so you might remove the list rule, i.e. just do allow read: if true;.
BTW, the simulator does correctly show that your rules do not allow reading a document in the races collection if you are not authenticated.
For context, I display my Firebase app's configuration in the app.js file (is this safe?) and in order to give a user their data I list the following code:
db.collection('whispers').where("sender", "array-contains",
userID).orderBy('time').onSnapshot(snapshot => {
let changes = snapshot.docChanges();
changes.forEach(change => {
renderSay(change.doc);
});
});
Could a user remove the 'where' condition and access all data in this collection? I only use anonymous sign in so nothing special required in accessing their own data besides using the same device and not clearing data.
I doubt that could be possible by reverse-engineering but the actual security lies in the security rules.
You can change them from the Firebase Console
Here is a video from Firebase and here is the documentation
service cloud.firestore {
match /databases/{database}/documents {
// Match any document in the 'users' collection
match /users/{userID} {
allow read: if request.auth.uid === userID;
allow write: if request.auth.uid === userID;
}
}
}
Using the above security rules will allow users to read and write their data ONLY.
So even if they reverse-engineer your code, it will harm their data only and other data will be safe.
For more details please check the links above and you will get familiar with wildcard [{userID} in this case]
PS: Only you or anyone with access to your Firebase Console can change the rules
EDIT: This Medium Article has many types of rules explained. Please have a read there too :D
I'm having what I think maybe a simple issue with Firebase Rules, but I can't seem to get this to work. I have a document 'Companies', with multiple subcollections inside. I want to set up a rule that checks for admins in an array (with each array item being a string of the firebase userId) inside a 'company' document and allows them to read/write all subcollections of that document.
Here's the data structure in a single company document:
company1 {
admins: ["userid1", "userid2", "userid3"],
}
Here's my firebase rule:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /companies/{company}/{document=**} {
allow read, write: if request.auth.uid in get(/databases/$(database)/documents/companies/$(company)).data.admins
}
}
}
Here's an example of a query that's not working when it should:
let ref = db.collection("companies");
//get current users company
ref
.where("admins", "array-contains", firebase.auth().currentUser.uid)
.get()
.then((snapshot) => {
snapshot.forEach((doc) => {
this.company = doc.data();
this.company.id = doc.id;
});
});
I hope my question makes sense :)
I found an answer, I hope it helps anyone who might come upon this.
I ended up adjusting the data structure to include the company document ID as a field in the user doc. Then, I created these rules to allow users to read/write their own user doc based on firebase authentication, as well as read/write their companies based on a field in the user doc:
service cloud.firestore {
match /databases/{database}/documents {
// Allow users to create and edit the document for themselves in the users collection
match /users/{user} {
allow read, write: if request.auth.uid == user;
}
// Allow users to create a company for themselves upon signup
match /companies/{company} {
allow create: if request.auth.uid != null
}
match /companies/{company}/{document=**} {
// Allow users to read/write data on thier own companies
allow read, write: if company in get(/databases/$(database)/documents/users/$(request.auth.uid)).data.companies
}
}
}
I'm having problems uploading an image to Firebase Storage. I'm using React Native's #react-native-firebase/storage and the installation and connectivity seem to be fine because I'm able to reference images just fine:
const ref = firebase.storage().ref('myImage.png');
The problem is definitely permissions based because when I temporarily remove:
: if request.auth != null
from Firebase console Storage Rules:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
This worked just fine:
firebase.storage()
.ref('images/test.jpg')
.putFile(myImage[0].path)
.then((successCb) => {
console.log('successCb');
console.log(successCb);
})
.catch((failureCb) => {
console.log('failureCb');
console.log(failureCb);
});
So how do I authenticate to use putFile securely?
EDIT:
I'm using "#react-native-firebase/storage": "^6.2.0"
Thanks in advance!
Edit Firebase storage rules to allow uploads without the need of installing #react-native-firebase/auth.
Navigate to Firebase console
In Sidebar under Develop open Storage
Open Rules tab
replace below rule
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write
}
}
}
And Publish
Done
That's it Frank!
I wrongly thought of the app as a user that was already authenticated through the GoogleService-Info.plist file and not that the user of the app needs to be authenticated.
My steps to fix:
install #react-native-firebase/auth
go into the Authentication section of your firebase console and Enabling the Anonymous Signin method
call firebase.auth().signInAnonymously() in componentDidMount()
And...finally able submit the putFile to storage successfully!
Big thanks #FrankvanPuffelen !!
I'm new in coding, but i face same problem.
In my Situation, It did not work with Ananymous SignIn.
I had to change the Directory location to make it work.
Original Rule:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o { => Change here
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
Change to:
rules_version = '2';
service firebase.storage {
match /b/Your_APP_Name.appspot.com/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
we can over come this in two ways. either we need to authenticate the user while uploading the files to the database. or if it is only for the testing purpose i recommend to go to storage in firebase and click on rules and change "allow read, write: if request.auth != null" to "allow read, write: if request.auth == null". i recommend to autheticate the user for safe and secure files.
I hope your problem solved.
My Firebase web app requires administrator access, i.e., the UI should show a few things only for admins (an 'administrator' section). I came up with the below as a means to authorize the UI to display the admin section for valid admins only. My question is, good or bad? Is this a sound means of authorizing? ...so many ways to do this. This particular way requires me to configure admins in the security rules (vs in a node/tree in a db/firestore)
My idea is that if the .get() fails due to unauthorized access, I tell my app logic the user is not an admin, if the .get() succeeds my logic shows the 'admin' sections. Of course, the 'sections' are just HTML skeletons/empty elements populated by the database so even if the end user hacks the JS/logic, no real data will be there - only the empty 'admin section' framework.
function isAdmin(){
return new Promise(function(resolve, reject){
var docRef = firebase.firestore().collection("authorize").doc("admin");
docRef.get().then(function(result) {
if (result) {
resolve (true);
}
}).catch(function(error) {
resolve (false);
});
});
}
The firestore rule specifies the 'admins' by UID.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth.uid == "9mB3UxxxxxxxxxxxxxxxxxxCk1";
}
}
}
You're storing the role of each user in the database, and then looking it up in the client to update its UI. This used to be the idiomatic way for a long time on realtime database, and it still works on Firestore.
The only thing I'd change is to have the rules also read from /authorize/admin, instead of hard-coding the UID in them. That way you only have the UID in one place, instead of having it in both the rules and the document.
But you may also want to consider an alternative: set a custom claim on your admin user, that you can then read in both the server-side security rules (to enforce authorized access) and the front-end (to optimize the UI).
To set a custom claim you use the Firebase Admin SDK. You can do this on a custom server, in Cloud Functions, but in your scenario it may be simpler to just run it from your development machine.
Detailed How To: Firebase has what's called Custom Claims for this functionality as detailed in their Control Access with Custom Claims and Security Rules. Basically, you stand up a separate node server, install the Firebase AdminSDK:
npm install firebase-admin --save
Generate/Download a Private Key from the Service Accounts tab in the Firebase Console and put that on your node server. Then simply create a bare bones node app to assign Custom Claims against each UID (user) that you wish. Something like below worked for me:
var admin = require('firebase-admin');
var serviceAccount = require("./the-key-you-generated-and-downloaded.json");
admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
databaseURL: "https://xxxxxxxxxxxxxxxxxxxx.firebaseio.com"
});
admin.auth().setCustomUserClaims("whatever-uid-you-want-to-assign-claim-to", {admin: true}).then(() => {
console.log("Custom Claim Added to UID. You can stop this app now.");
});
That's it. You can now verify if the custom claim is applied by logging out of your app (if you were previously logged in) and logging back in after you update your web app's .onAuthStateChanged method:
firebase.auth().onAuthStateChanged(function(user) {
if (user) {
firebase.auth().currentUser.getIdToken()
.then((idToken) => {
// Parse the ID token.
const payload = JSON.parse(window.atob(idToken.split('.')[1]));
// Confirm the user is an Admin.
if (!!payload['admin']) {
//showAdminUI();
console.log("we ARE an admin");
}
else {
console.log("we ARE NOT an admin");
}
})
.catch((error) => {
console.log(error);
});
}
else {
//USER IS NOT SIGNED IN
}
});