[Firestore] Data Dropped On Permission Denied

[SelaseKay]

[READ] Step 1: Are you in the right place?

Issues filed here should be about bugs in the code in this repository. If you have a general question, need help debugging, or fall into some other category use one of these other channels:

• For general technical questions, post a question on StackOverflow with the firebase tag.
• For general Firebase discussion, use the firebase-talk google group.
• For help troubleshooting your application that does not fall under one of the above categories, reach out to the personalized Firebase support channel.

[REQUIRED] Step 2: Describe your environment

• Android Studio version: _____ Android Studio Hedgehog | 2023.1.1 Patch 2
• Firebase Component: _____ (Firestore)
• Component version: _____ "com.google.firebase:firebase-firestore:25.0.0"

[REQUIRED] Step 3: Describe the problem

I encountered an issue where a device was offline, and the permissions for a Firestore collection were changed. When the device reconnected and tried to upload data, I received a permission error:

2024-08-14 13:05:25.304 12838-12868 Firestore               com...mple.triageflutterfireandroid  W  (25.0.0) [WriteStream]: (ce5a72e) Stream closed with status: Status{code=PERMISSION_DENIED, description=Missing or insufficient permissions., cause=null}.

2024-08-14 13:05:25.312 12838-12868 Firestore               com...mple.triageflutterfireandroid  W  (25.0.0) [Firestore]: Write failed at test-collection/j320prNQkghLhwIf0z0j: Status{code=PERMISSION_DENIED, description=Missing or insufficient permissions., cause=null}

As a result, the data was never uploaded and got lost permanently. Ideally, local data should never be removed unless explicitly instructed to do so.

Steps to reproduce:

Run

val firestore = Firebase.firestore

val settings = firestoreSettings {
        setLocalCacheSettings(
            persistentCacheSettings {
                setSizeBytes(FirebaseFirestoreSettings.CACHE_SIZE_UNLIMITED)
            }
        )
}

firestore.firestoreSettings = settings

val collection = firestore.collection("test-collection")

firestore.disableNetwork().addOnCompleteListener {
    val data = hashMapOf(
        "0" to 0,
    )

    collection.add(data)
}

Change the Firestore rules to

rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

Wait a few moments for the new rules to take effect. Run the previous code again but this time, without scoping the collection.add to firestore.disableNetwork().addOnCompleteListener. Also change the collection data to hashMapOf("1" to 0). Your modified code should look like this:

val firestore = Firebase.firestore

val settings = firestoreSettings {
        setLocalCacheSettings(
            persistentCacheSettings {
                setSizeBytes(FirebaseFirestoreSettings.CACHE_SIZE_UNLIMITED)
            }
        )
}

firestore.firestoreSettings = settings

val collection = firestore.collection("test-collection")

val data = hashMapOf(
  "1" to 0,
)

collection.add(data)

You should get a permission denied error after running the above code.

Then change the rules to:

rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

and run the code again but change hashMapOf("1" to 0) -> hashMapOf("2" to 0)

The expect result would be three documents in the "test-collection" collection, with data {"0": 0}, {"1": 0} and {"2": 0}. But when following the above steps, only {"2": 0} actually exists.

This issue is linked to flutterfire

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[tom-andersen]

@SelaseKay Thank you for the clear explanation.

The call to collection.add(data) will return a future that you can listen for success or failure, and thereby implement some error handling logic on your end. This doesn't cover the situation where your app is restarted and persistence is enabled. In that case, the write will be attempted best effort next time the app starts, and will fail or succeed silently.

The API currently doesn't afford tracking of queued writes, so I am marking this a feature request.

To better understand your situation:

Are you looking to attach an error handler within the app? Do you simply want to monitor or log write errors? Are you looking for greater control over the write queue, if so, what control do you want?