FirebaseError: Missing or insufficient permissionsYour Firestore security rules are blocking the operation.
Why this happens
Firestore security rules act as a server-side gatekeeper for every read and write operation. By default, new Firestore databases come with rules that allow all access for 30 days, then switch to denying everything. If your rules donβt explicitly allow the operation youβre attempting β or if the user isnβt authenticated when the rules require it β Firestore rejects the request with this error.
Fix 1: Check your security rules
// β Default rules deny everything after 30 days
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
}
}Fix 2: Allow authenticated users
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /posts/{postId} {
allow read: if true;
allow write: if request.auth != null;
}
}
}Fix 3: Check authentication
import { getAuth } from 'firebase/auth';
const user = getAuth().currentUser;
console.log(user); // null = not logged inAlternative solutions
Use the Firebase Emulator Suite to test security rules locally before deploying them:
firebase emulators:startYou can also use the Rules Playground in the Firebase Console to simulate requests against your rules and see exactly which rule is allowing or denying access.
Prevention
- Never use
allow read, write: if truein production β always require authentication at minimum, and scope write access to document owners where possible. - Set up the Firebase Emulator early in development so you can iterate on security rules without deploying to production.
Related: Supabase vs Firebase Β· What is OAuth? Β· Supabase: Auth Session Missing fix