DEV Community

Discussion on: 2.2 A beginner's guide Firebase V9 - Coding a simple webapp

Collapse
invernomutogit profile image
Alessandro Piconi

Great post.
adding "&& request.auth.token.email == resource.data.userEmail;" to the database rules give me a console error like "Uncaught (in promise) FirebaseError: Missing or insufficient permissions".
deleting it all go fine.

Collapse
mjoycemilburn profile image
MartinJ Author • Edited on

You're right - there 's a problem with my rules. I'm not sure how this slipped through but rules for "create" need to be a bit different to those for read, update and delete. I should have declared them as

service cloud.firestore {
  match /databases/{database}/documents {

    match /userShoppingLists/{document} {
        allow read, delete, update : if request.auth != null && request.auth.token.email == resource.data.userEmail;
        allow create : if request.auth != null && request.auth.token.email == request.resource.data.userEmail;
    }
}
Enter fullscreen mode Exit fullscreen mode

The "create" rule needs to recognise that this is a "pending" request as the data isn't actually in a document yet and can't be located at resource.data.userEmail

The "users should only see documents stamped by their user-id (userEmail)" stuff isn't really relevant to the main purpose of the post so I've edited this subtlety out