firebase-security

问题 Final Goal: my company will start use Firestore to update transaction status to our Mobile Application and Angular 9 frontend. Immediate challenge: learn how use Custom Token. Current issue: I get this erro although it is owner: "error": { "code": 403, "message": "Missing or insufficient permissions.", "status": "PERMISSION_DENIED" } I can't understand why getting PERMISSION_DENIED if the idToken is related to the Collection Owner. IAM Admin showing the user is owner: Steps to reproduce: 1 -

问题 Final Goal: my company will start use Firestore to update transaction status to our Mobile Application and Angular 9 frontend. Immediate challenge: learn how use Custom Token. Current issue: I get this erro although it is owner: "error": { "code": 403, "message": "Missing or insufficient permissions.", "status": "PERMISSION_DENIED" } I can't understand why getting PERMISSION_DENIED if the idToken is related to the Collection Owner. IAM Admin showing the user is owner: Steps to reproduce: 1 -

问题 Can't seemed to use Firestore Security Rule .hasAny(). Is this method deprecated or no longer available? I am using it like /// Functions - NOT WORKING!!! /// function isTeamMember(teamId, userId) { return get(/databases/$(database)/documents/team_access_privilege/$(teamId)).data[userId].hasAny(['OWNER', 'ADMIN', 'STANDARD']) } The Firestore data is structured as such - team_access_privilege (COLLECTION) -- teamId (DOCUMENT) --- userId1 (KEY) : 'OWNER' (VALUE) --- userId2 (KEY) : 'ADMIN'

问题 Can't seemed to use Firestore Security Rule .hasAny(). Is this method deprecated or no longer available? I am using it like /// Functions - NOT WORKING!!! /// function isTeamMember(teamId, userId) { return get(/databases/$(database)/documents/team_access_privilege/$(teamId)).data[userId].hasAny(['OWNER', 'ADMIN', 'STANDARD']) } The Firestore data is structured as such - team_access_privilege (COLLECTION) -- teamId (DOCUMENT) --- userId1 (KEY) : 'OWNER' (VALUE) --- userId2 (KEY) : 'ADMIN'

问题 In Cloud Firestore Rules - I have a document called task and I want to see if some data ( assignee field) is null / don't exists. I've tried: resource.data.assignee == null - Does not work (Error) !resource.data.hasAll(['assignee']) - Does not work (Error) From the documentation - it states that this indeed creates an error: // Error, key doesn't exist allow read: if resource.data.nonExistentKey == 'value'; 回答1: Reading the list comparisons of the Firestore Security rules documentation here,

问题 I have a collection called users where I am checking if new users mobile no is present or not. If It is present then I am performing phone authentication for that user then storing uid as a field in document. If user is coming for the first time, he is not authenticated and I am performing read operation from users collection. Now every time I am getting Your Cloud Firestore database has insecure rules email from google. Below is the rule I am using. Please let me know how can I make it

问题 There are some other (older) questions about this, but since they already are a few years old, I am curious if there have been an update about this. I want to animate a lottery, in which users can buy tickets. Everything is going well, but I want to make sure there are never more than a thousand sold tickets. It has to be server side, and these are my rules: "Lottery": { ".read": "auth != null", ".write": "auth != null", "counter": { ".validate": "newData.isNumber() && newData.val() > 0 &&

问题 I was wondering if this security rule would be possible: function productForUser() { return resource.data.products.hasAny(get(/databases/$(database)/documents/Users/$(request.auth.uid)).data.products); } When I try to test it in the testing plaground on the Firebase website, it is sucessful. However, when I try to run it with Javascript, with this query, I get the read denied, with "missing or insufficient permissions": query.where("products", "array-contains", productId); I can confirm that

问题 I am making batch operation from client to update only one field but while making batch operation and on testing in security rules It is observed that more than one fields are being updated. I checked this using request.resource.data.size() >1 and request.resource.data.keys().size()>1 returning true (document being updated) but this is not intended as I want to check in security rules that only one field is being updated using checks like request.resource.data.keys().hasOnly([

问题 I have notification records where there is a text and a list of users (max 10). {text: "Beware of the dog", users: [ uid1, uid2, uid3, ... ]} When a user read/acknowledge the notification, I want to remove him from the list of users who can see the notification (then he won't get any anymore). For that, when the user press the "hide notification button", he send a request to update the notification record with: users: FieldValue.arrayRemove(uid) I want to enfore with security rules that the