FlutterFlow - Firestore Security Rules Error on ListView: Missing or insufficient permissions

I'm making a simple todo app. I'm able to add a document (todo) to the database and I'm able to read them, but only if I allow every document to be read, not just mine.

I'm trying to make it so that a ListView only shows me my todos. These firebase rules allow me to see everyone's todos:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /todos/{document} {
      allow create: if request.auth != null;
      allow read: if request.auth != null;
      allow write: if resource.data.owner == /databases/$(database)/documents/users/$(request.auth.uid);
      allow delete: if resource.data.owner == /databases/$(database)/documents/users/$(request.auth.uid);
    }

    match /users/{document} {
      allow create: if request.auth.uid == document;
      allow read: if request.auth.uid == document;
      allow write: if request.auth.uid == document;
      allow delete: if false;
    }
  }
}

When I change the allow read line for the todos so that only matching uids are allowed to be read:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /todos/{document} {
      allow create: if request.auth != null;
      allow read: if request.auth.uid == resource.data.uid;
      allow write: if resource.data.owner == /databases/$(database)/documents/users/$(request.auth.uid);
      allow delete: if resource.data.owner == /databases/$(database)/documents/users/$(request.auth.uid);
    }

    match /users/{document} {
      allow create: if request.auth.uid == document;
      allow read: if request.auth.uid == document;
      allow write: if request.auth.uid == document;
      allow delete: if false;
    }
  }
}

I get this error: Firestore Security Rules Error on ListView: Missing or insufficient permissions.

Any thoughts on what could be causing this? I tried creating a new project in FlutterFlow and I tried creating a new project in Firebase. I get the same issue.

While we'd need to see your code/query to be certain, keep in mind that rules are not filters - but instead Firestore merely uses the rules to ensure your code doesn't read more data than it's allowed. You have to ensure that your code only request data that the rules allow it to access.

Also see:

• Collection Group permissions for Firestore
• Configuring rules for Firestore so user only gets records they own
• Firestore security rules how to check if document was created by user (is owner)