Firestore Permission Error: Missing or insufficient permissions for 'admin' user on /reviews collection (Production-only issue)

Dear Firebase Support Team,

I am encountering a persistent permission error in my Firestore database, specifically when attempting to read from the /reviews collection. This issue is strictly observed in our production environment and does not reproduce in local development or when using the Firebase Emulator.

Problem Description: When an authenticated user with the role: "admin" (as stored in their /user_profiles/{uid} document) tries to access the /reviews collection, they receive the following error: Error [FirebaseError]: Missing or insufficient permissions.

This error occurs when navigating to a page in my application that attempts to fetch data from the /reviews collection in production .

Relevant Firestore Security Rules:

For /reviews collection:
match /reviews/{reviewId} {
allow read: if isContributorOrMore();
// … other rules
}

For /user_profiles collection:
match /user_profiles/{uid} {
// …
allow read: if isSignedIn();
// …
}

Helper functions:

function isSignedIn() {
return request.auth != null;
}

function isContributorOrMore() {
return isSignedIn() && userProfile().data.role in [‘admin’, ‘ambassador’, ‘contributor’];
}

Steps Taken and Observations:

1. Firestore Data Verification: I have confirmed that the user’s user_profiles/{uid} document in the live production Firestore database explicitly contains role: "admin" .

2. Firebase Emulator Test: When I simulate a GET request to /reviews/{reviewId} with the UID of the ‘admin’ user in the Firebase Emulator, the request succeeds without any permission issues . This strongly suggests that the security rules themselves are correctly configured to allow ‘admin’ users to read the collection.

3. Client-Side Authentication State: My web application maintains a firebaseSession cookie (example: {"uid":"aoUI5txRMbaLLAwr6Wo8jpJ5KqV2","email":"ady@admin.com","role":"admin"} ) indicating the user’s logged-in status and role. However, despite this, the Firestore SDK appears to not be correctly recognizing the authenticated user’s context, leading to request.auth potentially being null or insufficient in the security rules evaluation when the request originates from the client in production .

Expected Behavior: An authenticated user with the admin role should be able to successfully read data from the /reviews collection in all environments, including production, according to the defined Firestore security rules.

I suspect the issue might be related to how the client-side Firebase Authentication state is being communicated or maintained with the Firestore SDK for subsequent database requests in the production environment, especially after initial login or a page refresh, as the rules themselves appear to be correct.

Could you please assist me in diagnosing why Missing or insufficient permissions is occurring for an ‘admin’ user on the /reviews collection exclusively in production , despite the rules appearing correct and emulator tests passing?

Thank you for your time and assistance.

I’m a citizen developer using firebase studio to develop web apps.

Sincerely,
Ady

It sounds like you’re setting a session cookie to manage access to your pages/API but there’s a disconnect between your Server / Session state (the cookie) and the client-side Firestore SDK’s internal Auth state. If your app attempts to fetch the /review collection before the Firebase Auth SDK has fully initialized and restored the user session, request .auth in your Security Rules will be null.

Can you try these following steps?

1. diagnose the Auth state for race condition. add console.log(“Current User before fetch:”, auth.currentUser) to see if it’s null right after const auth=getAuth().
2. verify the token handoff if you’re using Server-Side Rendering. this is because the Client SDK is not automatically signed in just because the server rendered the page. Gemini suggests:
   1. Client-side Re-auth: Allow the client SDK to restore the session from LocalStorage (this causes a delay/flicker while it loads).
   2. Token Handoff (Hydration): You must take the custom token from the server and force the client SDK to sign in immediately.
3. see if the document ID in user_profiles matches the request.auth.uid exactly
4. try Firebase Console Rules Playground. Firebase Console → Firestore → Rules → Edit Rules Playground, select “get” method, set the path toreviews/someExistingReviewID, turn on “Authentication”, copy the UID of your production Admin user and paste it in the UID filed in the playground, run the test.

You should also consider changing your rule so that allow read: if request.auth.token.role == ‘admin’; because it requires zero database lookup.

Hey Tianzi,

Thank you for your feedback.
I tried these differents steps using gemini through firebase studio as i’m not able to do things manually (i’m not a developer).
At the end, it’s not possible to read the collection reviews when i put a rule different of “allow read if true;”.

I had the same issue with the collection ‘user_profiles’ that worked only with the rule “allow read if true;”. Now i can use the rule “allow read if isSignin();”, i encoutered blocking points during few weeks before the resolution with the help of Gemini.

The other difficult that i encountered using firebase studio is the fact that i can’t reproduce the issue in production in the development environment.

Thanks & regards,

Ady

Hi Ady,

I had the same issue with permission level access on one of my projects, and after a whole lot of back and forth between Gemini, Claude and ChatGPT I was able to resolve it.

I will advice you not only depend on Gemini to fix this issue, you can copy your error messages to other AI that are code smart like claude. Trust me it works like magic some times.

Also, you can prompt Gemini to create temporal “Make-Admin” page where you can elevate your current user to “Admin” role.

Then there is the seeding, where gemini creates a seed.json file in your root project and then you run npm run seed in your terminal to make you an admin and have full access to your App.

In all I think Google needs to improve how Admin access is created developing on firebase, right now it is hell for us vibe coders. I hope google goes through and see how about 80% of users have this same permission level issues.

I hope this helps.

Emmanuel.