The security rules for Firestore initially look like this :
match /{document=**} {
allow read, write;
}
This read permission can be divided into get and list. By restricting this list privilege, it is possible to prohibit the acquisition of a list. :
match /{document=**} {
allow get;
allow list: if false;
allow write;
}
The following code was successful before narrowing down the security, but after narrowing it down, the error occurs as expected :
firebase.firestore().collection("collection_foo").get().then((qs) => {
qs.forEach((d) => console.log(d.id));
});
// Uncaught (in promise) FirebaseError: Missing or insufficient permissions.
doc https://firebase.google.com/docs/firestore/security/rules-structure
This page is auto-translated from /nishio/Firestoreで一覧取得を禁止する using DeepL. If you looks something interesting but the auto-translated English is not good enough to understand it, feel free to let me know at @nishio_en. I’m very happy to spread my thought to non-Japanese readers.