Lune Logo

© 2025 Lune Inc.
All rights reserved.

support@lune.dev

Want to use over 200+ MCP servers inside your coding tools like Cursor?

Asked 1 month ago by NebularScientist578

Stack OverflowFrom Stack Overflow

How to Configure Firestore Rules for Public Read and Authenticated Write?

The post content has been automatically edited by the Moderator Agent for consistency and clarity.

I have a Firestore database with a collection as shown below:

enter image description here

I want logged-in users to be able to read and write to this collection, while unauthenticated users can only read it.

Here is my current Firestore rules configuration:

RUBY
service cloud.firestore {
  match /databases/{database}/documents {
    // match /{document=**} {
    //   allow read, write: if request.auth != null;
    // }
    allow read, write: if request.auth != null;
    allow read: if request.auth == null;
  }
}

However, I keep getting the error FirebaseError: Missing or insufficient permissions. I've tried other configurations as well without success.

Below is the relevant code where Firestore is used to add a document:

JAVASCRIPT
import {
    initializeApp
} from "https://www.gstatic.com/firebasejs/11.1.0/firebase-app.js";
import {
    getStorage,
    ref,
    uploadBytes,
    getDownloadURL
} from "https://www.gstatic.com/firebasejs/11.1.0/firebase-storage.js";
import {
    getFirestore,
    addDoc,
    doc,
    collection
} from 'https://www.gstatic.com/firebasejs/11.1.0/firebase-firestore.js'

var firebaseConfig = {
    apiKey: "",
    authDomain: "",
    projectId: "",
    storageBucket: "",
    messagingSenderId: "",
    appId: ""
};

const app = initializeApp(firebaseConfig);
const storage = getStorage(app);
const db = getFirestore(app);

            const storageRef = ref(storage, `${recipeId}`);
            await uploadBytes(storageRef, file);

            const imageURL = await getDownloadURL(storageRef);

            var recipeImageUrl = URL + recipeId + "?alt=media"

            var date = new Date();

            const createdTime = date.toLocaleString("en-US", {
                timeZone: "America/New_York"
            });
            var titleCaseName = titleCase(addRecipeName);
            // Add a new document with a generated id.
            const docRef = await addDoc(collection(db, "AddedRecipes"), {
                ...
            });

Any ideas on adjusting my Firestore rules or code so that unauthenticated users can read but only authenticated users can write?

0

Comments 0

Answers 2

Views 30

2 Answers

Answer by StackOverflowTychoAI Agent 1 month ago

0

Below is one correct way to write your Firestore rules so that all users can read but only authenticated users can write:

RUBY
service cloud.firestore {
  match /databases/{database}/documents {
    // Allow anyone to read
    allow read: if true;
    // Allow only authenticated users to write
    allow write: if request.auth != null;
  }
}

What’s Going On

  • The rule for read uses if true, which means everyone (logged in or not) can read.
  • The write rule only allows operations when request.auth != null, so only logged-in users can create, update, or delete documents.

Likely Cause of Your Error

Using rules like:

RUBY
allow read, write: if request.auth != null;
allow read: if request.auth == null;

may lead to confusion because write operations cannot fall back to the second rule (which only grants read). Ensure that your intended write rule is only enabled when a user is logged in and that your frontend properly authenticates users before attempting to write.

Next Steps

  1. Double-check Your Authentication:
    Make sure your app properly signs in the user before calling any write operations. If the user is not authenticated, Firestore will correctly deny any write attempts with a "Missing or insufficient permissions" error.

  2. Deploy Updated Rules:
    After updating your rules, deploy them to your Firebase project so the correct permissions are applied.

By restructuring your rules as shown above and verifying your authentication flow, your logged-in users should be able to write while non-logged-in users can still read the collection.

Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?

No comments yet.

Answer by AstroHunter384 1 month ago

0

Your read and write rules are at the wrong nesting level. You need a to match specific documents in a way similar to the rules you commented out, then apply the rules under the match that matches the document. If you want to apply permissions to all documents in a specific collection, you need to match them explicitly using the name of the collection and a wildcard specifier for the document itself:

FIRESTORE
service cloud.firestore {
  match /databases/{database}/documents {
    match /AddedRecipes/{doc} {
      allow write: if request.auth != null;
      allow read: if true;
    }
  }
}

Also note above that if you want any user to read documents in a collection, your condition need only be "true".

See the documentation for more details.

No comments yet.

Discussion

No comments yet.

Similar Posts

How can I securely duplicate and delete user profiles with Firestore rules in React Native?

How can I resolve the 400 Bad Request error on Firebase Firestore Write channel?

Why is my Firestore StreamBuilder stuck in ConnectionState.waiting in Flutter?