Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

FR: Ability to run against Firestore rules, as part of the admin JS SDK #1254

akauppi started this conversation in Ideas
Discussion options

I noticed that the Admin SDK has a section on SecurityRules.

Would it be possible, at some point, to have the functionality in the Admin SDK to evaluate rules? I'd use this for testing my Firestore security rules.

Motivation:

The admin SDK is already used in Firebase backend testing. However, I am not aware of a way how I can apply security rules while using it. Therefore, testing whether certain access is allowed or not needs to be done using the client SDK or REST API.

If this were the case, @firebase/rules-unit-testing could then be implemented with the Admin SDK only. It currently has the firebase 8.5.0 client SDK as its dependency, which conflicts with using 9.x beta in one's project. (being the reason why I cannot use it, and am implementing the rules testing using REST API, instead)
You must be logged in to vote

Replies: 1 comment 2 replies

Comment options

I don't quite follow. Access control with security rules is a feature only available when using the client SDKS (web, Android and iOS). While the Admin SDK supports administrating/managing the security rules, the Firestore API calls made by the Admin SDK are not regulated by the rules. Is your feature request to change that?

Also note that the Admin SDK is very different from the client SDKs (especially in terms of features like auth), so it's not a good substitute for testing how rules impact clients.
You must be logged in to vote
2 replies
Comment options

I must have been a bit hasty in writing that original post. Apologies. I’ll try to explain better.

In my opinion, the current toolset for testing (Firestore) Security Rules is lacking, because there is not a way to ask "would this operation be allowed" - without such operation being carried out. This is what I was trying to suggest in the original post.

What I forgot is that in order to evaluate rules, it’s not enough to have the rules. One needs the data as well, since rules often are conditional on the existing data. Thus... this is less of the business of the admin SDK, as you rightly state.

As I currently see it, the ideal place would be for the Firestore REST API to allow something like "dryrun" parameter that would behave as normal, but not carry out the set/delete what-not.
Comment options

You can test using the emulators :)
https://firebase.google.com/docs/firestore/security/test-rules-emulator

Which works perfectly!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Ideas
Labels
None yet

AltStyle によって変換されたページ (->オリジナル) /