Great post.
adding "&& request.auth.token.email == resource.data.userEmail;" to the database rules give me a console error like "Uncaught (in promise) FirebaseError: Missing or insufficient permissions".
deleting it all go fine.
You're right - there 's a problem with my rules. I'm not sure how this slipped through but rules for "create" need to be a bit different to those for read, update and delete. I should have declared them as
service cloud.firestore {
match /databases/{database}/documents {
match /userShoppingLists/{document} {
allow read, delete, update : if request.auth != null && request.auth.token.email == resource.data.userEmail;
allow create : if request.auth != null && request.auth.token.email == request.resource.data.userEmail;
}
}
The "create" rule needs to recognise that this is a "pending" request as the data isn't actually in a document yet and can't be located at resource.data.userEmail
The "users should only see documents stamped by their user-id (userEmail)" stuff isn't really relevant to the main purpose of the post so I've edited this subtlety out
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Great post.
adding "&& request.auth.token.email == resource.data.userEmail;" to the database rules give me a console error like "Uncaught (in promise) FirebaseError: Missing or insufficient permissions".
deleting it all go fine.
You're right - there 's a problem with my rules. I'm not sure how this slipped through but rules for "create" need to be a bit different to those for read, update and delete. I should have declared them as
The "create" rule needs to recognise that this is a "pending" request as the data isn't actually in a document yet and can't be located at resource.data.userEmail
The "users should only see documents stamped by their user-id (userEmail)" stuff isn't really relevant to the main purpose of the post so I've edited this subtlety out