App database rules

I am using the following code under the rules section of the database. Anytime I try to create data I get this error App[2822:84615] 6.25.0 - [Firebase/Firestore][I-FST000001] Write at summary/8E27665C-5CE1-4C5A-A6A0-10EB77667083 failed: Missing or insufficient permissions.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Make sure the uid of the requesting user matches name of the user
    // document. The wildcard expression {userId} makes the userId variable
    // available in rules.
    match /users/{userId} {
      allow read, update, delete: if request.auth != null && request.auth.uid == userId;
      allow create: if request.auth != null;

Your user must be logged in, and be accessing something they created for your rules to work

I am working on the custom login screen video and then I will try it again. I got that error when I was logged in and trying to save information.

@MikaelaCaron Okay… so I have it setup with the following code.

// Get all the trip data
        db.collection("trips").whereField("uid", isEqualTo: Auth.auth().currentUser!.uid).getDocuments { (snapshot, err) in

and that works just fine only displaying the trips created by that user, but when I set the rule in firebase I get the error.

I am sure it is something simple I am missing but hoping someone can point me in the right direction.

Hey James,

Ok, upon reading this thread again, it appears that you’ve already found the section that I was going to post.

But before diving into why I think you might be running into problems, let’s backtrack a little bit.

  1. My initial thoughts when reading your requirements was… why use a remote database at all? If the user shouldn’t see other people’s data then maybe a local database solution like Realm, SQLite or Core Data might work better. Not sure if you have remote or syncing requirements here… if not, one of those local DB options might be suitable. I saw in your other post that you initially thought to use Core Data. I think you were on the right track.

My switching out the Realm modules in the DB course for Core Data. First Core Data lessons drop next week!

  1. If using Firestore, then there are two ways I can see going about it.
    a. Configuring the database access rules so that the user can only access their own document (which is what you’re trying to do)
    b. Instead of configuring DB access rules, simply change the Firestore queries in your code to retrieve data that only belongs to that user.

In order of preference (top being most prefereable), I would say:

  1. Use a local database solution if there are no data sharing/syncing requirements

2b. Changing your DB queries in your code to only pull back relevant data so the user never sees other people’s data

2a. Configuring the rules because this limits you to a specific DB structure that may or may not work for what you need.

Lastly, regarding your specific issue, you’re following the DB rule that was listed in this documentation article right?
Shared with CloudApp

It requires that your Firestore db structure match the path of the URL listed in your rule. I’m not sure if your DB is structured that way?


means that you have a “users” collection and inside of it, each document is named after the UserID. This rule restricts you to ONLY read/write/update/delete information in that SINGLE document at /users/{userId}

That user cannot do any DB operations anywhere else! So all of that users data must be in that single document.

If that doesn’t work for what you’re trying to do, we COULD try to come up with a different rule set but i suspect that the options i listed above 1), 2b) would be better!

Hope this helps!

One of my main concerns is I want the data stored somewhere that way if the user loses their phone or deletes the app they don’t lose the data. I also want offline capabilities just incase they don’t have service while using the app.

From my research CoreData is saved locally and Cloudkit saves the private data in the users iCloud account. So what happens if the iCloud account is full? You might be covering this in the lessons, if not I hope you can mention it somewhere.

From my research on Firebase (I’m not sure if I can post the link for the video in here). It is mentioned that it’s best to not rely solely on client side queries for limiting access to the database. Is this something you agree with or do you think client side code that I currently have (using the whereField) will work just fine.

If I do just limit it on the client side then what should I put in the firebase rules so it doesn’t deny client requests.

For now I will try to structure the data in the users folder. This might not work for me down the road but will at least let me progress.

Thank you for taking the time to respond.