Firestore rules and migration of items to database

Firestore
1

I have been experiencing this error for my ecommerce site and i cant seem to fix it. Any leads,
FirebaseError: Missing or insufficient permissions: The following request was denied by Firestore Security Rules:
{
“auth”: {
“uid”: “LBzvLb3OzQP7d1kTzOuNbZ2bUrg1”,
“token”: {
“name”: null,
“email”: “admin@example.com”,
“email_verified”: false,
“phone_number”: null,
“sub”: “LBzvLb3OzQP7d1kTzOuNbZ2bUrg1”,
“firebase”: {
“identities”: {
“password”: [
“admin@example.com”
]
},
“sign_in_provider”: “password”,
“tenant”: null
}
}
},
“method”: “list”,
“path”: “/databases/(default)/documents/orders where customerId == LBzvLb3OzQP7d1kTzOuNbZ2bUrg1”
}

2

Sorry about this, I’m in the Firebase team. This is something we’re looking at improving and understanding more, I’m going to send you a DM because I’d love to learn more.

Generally this means the request was denied by your firestore rules and the rules need to be updated to allow the :list action on the orders collection for authenticated customers.

3

Yes, I just replied with what I am trying to achieve

4

Good day Firebase team. sorry to bother but I’m already on the migrating phase of my project and I’ve tried Rolling back many times after I received this error “FirebaseError: Missing or insufficient permissions:”. I don’t know if it is due to my projects flow or not. I’m at a loss here. I’m just vibe coding trying this app to custom fit my needs to build a web app. any suggestions to what I should do?

5

I am also experiencing the same issue and hoping it will be sorted. I believe it is a weakness on firebase studio.

6

That error log is perfect, as it tells us exactly what’s wrong.

This is a classic (and very common) Firestore Security Rules issue. The error means your rules are blocking a query (a list operation) on your orders collection.

Here’s the simple explanation and the exact rule to fix it.

:thinking: Why This Is Happening

For a query (like ...where("customerId", "==", ...)) to work, two rules must be true:

  1. A rule to allow querying the collection ( allow list ).

  2. A rule to allow reading every single document that the query returns ( allow get ).

Your app is correctly asking, “Get all ‘orders’ where ‘customerId’ matches my UID.” Your rules are stopping this list request, likely because you are missing one or both of these rules.

:hammer_and_wrench: The Solution: Add allow list and allow get

You need to update your firestore.rules file to tell Firestore that an authenticated user is allowed to list the orders collection and get the individual documents if they are the owner.

Copy and paste this rule block into your firestore.rules file (inside the match /databases/{database}/documents { ... } block) and publish it.

Code snippet

    // This is the rule block you need to fix or add
    match /orders/{orderId} {

      // 1. THE 'GET' RULE:
      // This allows a user to read a SINGLE document by its ID
      // if their UID matches the document's 'customerId' field.
      allow get: if request.auth.uid != null &&
                    resource.data.customerId == request.auth.uid;

      // 2. THE 'LIST' RULE:
      // This allows a user to run a QUERY on the 'orders' collection.
      // It works *together* with the 'get' rule.
      allow list: if request.auth.uid != null;
    }

How This Fixes Your Error

This two-part rule is the standard way to secure user-owned data:

  • The allow get rule is the main security. It says, “A user can only read a single order if they are the customer.”

  • The allow list rule opens the door for queries.

When your app runs the query ...where("customerId", "==", "your-uid"), Firebase now does the following check:

  1. Does the user have list permission on orders?

    • Yes, the allow list: if request.auth.uid != null; rule passes.

  2. Now, for every document this query finds, does it also pass the get rule?

    • Yes, because your app’s query (where("customerId", "==", "your-uid")) only finds documents that will pass the get rule (resource.data.customerId == request.auth.uid).

Important: This setup is secure. If a user tried to query all orders (e.g., collection("orders").get()), that query would fail. The list rule would pass, but the query would find an order belonging to another customer, which would fail the get rule, and Firebase would correctly deny the entire operation.

I hope this helps!

7

Thank you, lemmee try