New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Client doesn't have permission to access the desired data. #56
Comments
Hi @irohitb thanks for creating this issue. This SDK only supports the Realtime Database and is the reason for the error you are seeing. Good news is that we have a new JavaScript that handles both the RTDB as well as Cloud Firestore. The documentation for it is here. Do bear in mind that the new SDK is currently in alpha and even though we do not plan to make any more breaking changes, it is totally possible that we would need to make them without notice. |
Hi, your problem is that your web app or whatever needs to be initialized and !! authorized to read the data:
that means that you can only read the documents if you have an auth.id that is your need to log in with whatever method you are using. |
I was wondering if using flamelink to manage the data for a public website, what would be the best or common way to allow the public to read the data. If using
firebase service will email you that your database rules are unsecured and everyone can read the complete database. I don't know if this a problem actually since all the data will be rendered to the website anyway ... anyone else dealing with that? |
@ngmiduc It's probably best practice to have at least a client-level of credentials to access your data. In other words have a client id that your clients connect with so you can track which clients are generating your traffic. This is different from authenticating users, now you can have anonymous users but authorized applications. The best practice around his however would be to utilize a server generated frontend so that the data can be pulled using a secret key from the server instead of exposing sensitive keys to the user's browser and then subsequently embedded the rretrieved data in the output sent to the users. |
@ngmiduc In this manner then you could completely privatize your data and only have public apis with generated access keys to access your data from the public domain so you can throttle accounts based on usage. |
Thanks for your insightful answers @ngmiduc and @grandadmiralmcb To add to the discussion: @ngmiduc You do not have to either be authed or not, you can customize your database rules so that certain content is readable without being authed, while you lock your other content down to either no access from your app's front-end or for specific UID's, etc. Here is an article I wrote a while back for the real-time DB, but the same principals can be applied for Cloud Firestore as well. To @grandadmiralmcb's point, you can also consider using Firebase's anonymous auth. |
Hey, thanks for the extra information.
Thanks, best. |
Like I'm sure you already are well aware, in Firestore, we store all your content in a single collection called
|
Hi, yes I noticed that. Thanks for the code.
from :
Firestore rules:
I have the feeling that flamelink wants to access also to all other collections in firestore. llike: fl_files, fl_folders ... and so on. I feel like that I have to permit the web app and flamelink access to all flamelink collecitons: fl_content/enviroment/files/folders/locals/permission/user/schemas/settings. So maybe just use firebase anonym. login |
Oh ya, I meant to give the permissions as an example for the For the app itself, Flamelink requires read and write permissions for all the Flamelink specific collections (starting with Are you seeing this permission denied error within Flamelink or your app? If it is your app, there is also a |
Hi,
flamelink:
I have updated to error :
when I try to call app.content.get() ... |
Does it work if you change the read permission to |
Yep, this will work. |
Yes, to be clear, I do not advise that you set and leave your whole database to Can you please send me your whole DB rule config so that I can take a look? |
It is the minimum example above :
|
Flamelink itself (the app) won't work with these settings because it won't be able to access the collections. I'm not 100% sure about your app's use case, but what I would suggest is to use something like this:
Depending on the API methods you use, you might need to add specific |
Let's say we are talking about a public website, e.g. a Blog where the blog posts are managed by flamelink. So the public needs to access to all blog posts / content that contain only texts, some meta infos and maybe some images. So read and write is set for the CMS user and the scheme key "posts" needs to be readable for public. I ll try your suggestion. |
Well that works very fine!
|
Great, I'm glad you got it sorted in the end. |
Deleting and reinstalling the google service json files for android and ios will solve the problem. |
Hey, I am getting following error
Error: permission_denied at /flamelink/environments/production/schemas/user: Client doesn't have permission to access the desired data.
I am using cloud fireststore instead of firebase and I have a feeling that I followed the doc correctly, anway my rules for the cloud firestore (from the docs are)
What I was trying to do
Yes I did initialise the app like this
Any idea what I could be doing wrong?
The text was updated successfully, but these errors were encountered: