firebasegoogle-cloud-firestorefirebase-security

How would I define a firebase rule for a collection group query

I'm using firestore. It requires security rules.

Here is the actual query I'm running against the collection group:

const db = getFirestore(app);
const MainCollection = collectionGroup(db, "list");

const searchQuery = query(
  MainCollection,
  where("destination", "==", itinerary.destination),    
);

The collection path is /maincollection/{userId}/list/{documents=**}.

The firebase rules that have been suggested by CoPilot:

match /maincollection/{userId} {
  allow read: if request.auth != null;
  match /list/{document=**} {
      allow read: if request.auth != null;
    }
}

match /maincollection/{doc}/list/{itin} {
  allow read: if request.auth != null;
}

    match /maincollection/{doc}/list/{document=**} {
  allow read: if request.auth != null;
}

    match /maincollection/{document=**} {
  allow read, write: if request.auth != null;
}

all of those are giving me the following error:

Error searching itineraries: FirebaseError: Missing or insufficient permissions.

Solution

  • Since your query is a collection group query against a collection group called "list", you need to follow the instructions in the documentation for collection group queries and security rules:

    By default, queries are scoped to a single collection and they retrieve results only from that collection. With collection group queries, you can retrieve results from a collection group consisting of all collections with the same ID. This section describes how to secure your collection group queries using security rules.

    Secure and query documents based on collection groups

    In your security rules, you must explicitly allow collection group queries by writing a rule for the collection group:

    1. Make sure rules_version = '2'; is the first line of your ruleset. Collection group queries require the new recursive wildcard {name=**} behavior of security rules version 2.

    2. Write a rule for you collection group using match /{path=**}/[COLLECTION_ID]/{doc}.

    So you will want a match that looks more like this (assuming that you want all authenticated users to perform the query):

    match /{path=**}/list/{doc} {
    allow read: if request.auth != null;
}

    Note: if you didn't actually need a collection group query that queries all collections with the same name, then don't use collectionGroup at all to define the query. If you want to query a single subcollection, you should just provide the full path to the subcollection to the query builder functions, then your original rule that matches /maincollection/{doc}/list/{itin} might work the way you expect.