Most likely I am doing something basic wrong, but I can’t figure out the set-up of the Firestore security rule. The rule is really basic and decribed here> Writing conditions for Cloud Firestore Security Rules | Firebase
Everything works fine:
Works not:
Also not
rules_version = ‘2’;
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if request.auth != null;
}
}
}
Verification that user is logged in is in place → showing that user login works by displaying the userID.
In stackoverflow there are reports about this issue due to version releases of firestore. Might I be missing something connected to this?
Does anybody see, what I am missing?
2 Likes
Hi,
try to sign out and log in again through the app.
Thank you a lot for the idea and the screenshots! I gave it a try: but even logging out, re-starting the app and logging in again did not solve the problem. 
My ongoing trail and error approach also showed this crazy situation:
- using: “allow read, write: if request.auth == null;” makes the application work despite the fact, that at the same time the app displays the UserID of the currently logged in user.
Screenshot from iOS preview:
Somehow the security rule functions upside down 
Might this be connected to the trouble I am seeing??
- log-in with iOS-preview is possible (like described above)
- log-in with web-preview does not work
This is strange. I not sure if this is going to work. You may clear the cashe and data of the Appgyver app from your phone and check.
BTW have you enabled anonymous, if so, try to disable.
The problem stays the same,
- despite deleting the iOS-preview app and re-installing it.
- and ‘anonymous’ was and is disabled.
Anything else I can do?
I have tried it with HTTP request node, too, and I could not log in. I think there is a bug when using web preview.
BTW, I successfully created a new user via the web preview.
Your explanation of the bug is not entirely clear to me. Can you give some more details, about how you see the bug, please?
From my perspective:
- log-in: that works in the preview app → as proof for successful login: the preview-app can display the credentials of the logged in user (e.g. the userID).
- user creation: that works in the preview-app (in both cases: a user is already logged-in or no user is logged-in).
Not working:
- log-in the preview-app and use data from Firebase, when the security rule in firebase is set to
< allow read, write: if request.auth != null; >
Hi there,
Despite spending the week in reading everything I find about the firebase security rules, I still don’t find the solution. 
- Please, has anybody more ideas why the rule below is not working in the iOS preview app, despite a user is logged in?
- to understand if it is just me or a general topic: Does the rule work in your apps ?
- to me the data security is crucial to process user data responsibly!
Hey,
Ok my setup on firebase is a bit different to yours. It allows me to access all the info but I need to be logged in first.
Here is a screen shot of the coding etc:
It is very basic and allows everyone read and write access to the entire database.
For now it isnt perfect but it is preventing guests from accessing the database.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true;
allow write: if true;
}
}
}
I hope this helps you. If not just PM me and I can see what else I can assist with
Hi,
thank you so much for sharing the rules you are using!! 
- when I use the rules you shared, my app can read and write data into firebase as well.
- Important: actually I am afraid you are mistaken about the protection of the set-up you shared: ‘allow read, write: if true;’ does not protect anything of your database. On the contrary any guest (or hacker) can take your API from your app (the API isn’t secret!) and abuse your database in every way. This is because the condition ‘if true’ is always true. This condition does not require authentication at all. (for more details: Writing conditions for Cloud Firestore Security Rules )
- nevertheless, can you please go one step further with me and do a test:
- please change only the condition into 'allow read, write: if request.auth != null; ’
this condition requires the user to be authenticated (= logged in).
- Then please log in into the preview of your app and try if you can still get the data from firebase.
It would be great if we could achieve a little bit of clarity about the security rules togehter! I am very curious how it will work for you.
1 Like
Hey,
I have good news, It looks like i worked my side and I was able to log in without a problem.
I was thinking, create a alert on the non successful login attempt and in the message select:
outputs[“Email & password authentication (Firebase Auth)”].error.rawError
Thank you for your suggestion!
I understand, that you used the condition 'allow read, write: if request.auth != null; ’ in your firebase security rule and then were able to login successfully. Actually that works fine for me as well and I doublechecked with your suggestion in the screenshot.
But I do not understand, if you were able to read or write data while using the condition 'allow read, write: if request.auth != null; ’
Did that work for you?
Yes, I was able to read and write to the database. Both work.
Are you able to do both as well?
Sadly I still can not read or write when using this security rule 😵💫
Oh no,
What raw error message does it give you if you put the alert on the get record collection?
Alert is set to:
It shows the following raw error in preview (both PC and iOS):
{“error”:{“code”:403,“message”:“Missing or insufficient permissions.”,“status”:“PERMISSION_DENIED”}}
I have used the rule below and it is working just fine:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write:if request.auth != null;
}
}
}
I tried another rule , and it is working, too:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write:if request.auth.uid != null;
}
}
}
BTW, if there is a firewall, try to disable it and re-check.
Thank you @Mazen_Al-Sakkaf and @Ashley_Mclean for your feedback when using these security rules in firebase. With your hints I now found that the troubles commences with the type of the data resource:
- Sadly the type “Google firebase / Cloud firestore” lacks the ability to work with sub-collections. (Firestore: get sub-collection - #4 by stayfoolish and Firebase firestore nested collections - #4 by Mari).
- To use sub-collections I followed the tutorials to the type “REST API direct integration”
- But I did not realize until now, that I separated the authentication from the data resource. This resulted in the disfunction when using a security rule.
Do you know where I can find an instruction, how to use “REST API direct integration” together with the authentication?
Hi,
Did you have a look at the following info for roles etc?
I am not sure if this could help you…
