google cloud firestore - Firebase Security Rules - Does allow get: rule prevent document data from being read? - allow get: vers

admin管理员组

文章数量:1379411

I've been working on cleaning up some of my Firestore database rules and have a question regarding the difference between...

allow get: if request.auth == null;

and

allow read: if request.auth != null;

I used the first rule is so that unauthenticated users can do a lookup in a particular collection to see if a user name has already been "taken". The second rule is for authenticated users to be able to read the underlying documents in this same collection. My understanding is that by using "allow get:" for the unauthenticated users, that they (or anyone outside of my app) will NOT be able to actually see/read the underlying document data (ie. any fields stored in those documents). For my app, it's ok if anyone outside the app happens to see a bunch of doc IDs (generic user names) because they can't really do anything with them. However, I do not want them to be able to get at the other document fields. Unfortunately, new users that are at this point in the app signup process, are unauthenticated.

Can anyone confirm that "allow get:" prevents unauthenticated users or outsiders from reading/seeing document data? I was not able to find any specific firebase documentation with regard to this.

I've been working on cleaning up some of my Firestore database rules and have a question regarding the difference between...

allow get: if request.auth == null;

and

allow read: if request.auth != null;

I used the first rule is so that unauthenticated users can do a lookup in a particular collection to see if a user name has already been "taken". The second rule is for authenticated users to be able to read the underlying documents in this same collection. My understanding is that by using "allow get:" for the unauthenticated users, that they (or anyone outside of my app) will NOT be able to actually see/read the underlying document data (ie. any fields stored in those documents). For my app, it's ok if anyone outside the app happens to see a bunch of doc IDs (generic user names) because they can't really do anything with them. However, I do not want them to be able to get at the other document fields. Unfortunately, new users that are at this point in the app signup process, are unauthenticated.

Can anyone confirm that "allow get:" prevents unauthenticated users or outsiders from reading/seeing document data? I was not able to find any specific firebase documentation with regard to this.

• firebase
• google-cloud-firestore
• firebase-security

Share Improve this question Follow edited Mar 19 at 22:08 Doug Stevenson 318k3636 gold badges456456 silver badges473473 bronze badges Recognized by Google Cloud Collective asked Mar 19 at 21:42 KatMKatM 23322 silver badges1717 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 2

My understanding is that by using "allow get:" for the unauthenticated users, that they (or anyone outside of my app) will NOT be able to actually see/read the underlying document data (ie. any fields stored in those documents).

This is incorrect. get permission allows anyone who knows a path to a document to obtain the entire document. The difference between get and read is that get only allows single document access where the full path to the document is known, and read allows queries to be performed against a collection to return zero or more documents.

The closest thing in the documentation that shows an example:

match /cities/{city} {
  // Applies to single document read requests
  allow get: if <condition>;
}

get is what is used when someone builds a reference to a document and uses get() or getDoc() to read it. There is no per-field access control. There is no security rule to allow someone to know if a document ID exists without also being able to read it. Also in the documentation it says:

Reads in Cloud Firestore are performed at the document level. You either retrieve the full document, or you retrieve nothing. There is no way to retrieve a partial document. It is impossible using security rules alone to prevent users from reading specific fields within a document.

For that, you will need a backend endpoint that controls access to that document and returns only what the caller is supposed to know about it.

本文标签：