The 'Missing or insufficient permissions' error in Firebase means your Firestore security rules are blocking the requested operation. This is the most common Firebase error. Fix it by updating your Firestore rules to match the queries your app makes, remembering that rules are not filters — your query must structurally match your security rules.
What does "Missing or insufficient permissions" mean in Firebase?
When Firebase returns "Missing or insufficient permissions," your Firestore security rules are denying the read or write operation your app is attempting. This appears as FirebaseError with code permission-denied in web apps, FirebaseFirestoreException: PERMISSION_DENIED on Android, and [cloud_firestore/permission-denied] in Flutter.
The critical concept most developers miss is that Firestore rules are not filters. Firestore evaluates whether a query could potentially return unauthorized data, not whether it actually does. If your rules restrict documents by userId, your query must include a .where('userId', '==', currentUid) clause — even if every document in the collection belongs to the current user. Without the matching where clause, Firestore rejects the entire query.
This error is especially common in AI-generated code because tools like Lovable, Cursor, and V0 frequently generate Firestore queries without matching security rules, or they set rules to allow read, write: if true during development and the developer later locks them down without updating the queries.
Common causes
Firestore security rules deny the
operation because the user is not authenticated or the auth token has expired
The query does not structurally match the security rules
for example, querying an entire collection when rules require a userId filter
CollectionGroup queries are missing the
required match path for subcollections in the security rules
Security rules were changed (locked down from
development mode) without updating the corresponding app queries
The user's custom claims or
role fields used in security rules do not match what the rules expect
A write operation is being
attempted on a document where the rules require specific field values or validation that the data does not meet
How to fix "Missing or insufficient permissions" in Firebase
Start by using the Rules Playground in the Firebase Console (Firestore > Rules > Rules Playground). This tool lets you simulate any read or write operation against your current rules and shows exactly why a request is allowed or denied. This is the single most reliable debugging tool for permission errors.
First, check if the user is authenticated. Many rules require request.auth != null. If your app does not require login, you need rules that allow unauthenticated access. For authenticated apps, verify the user's token is not expired and that auth state is fully initialized before making Firestore calls.
Next, ensure your queries match your rules. If your rules say allow read: if request.auth.uid == resource.data.userId, then your query must include .where('userId', '==', auth.currentUser.uid). A query without this filter will be denied even if all documents belong to the user.
For development, you can temporarily use permissive rules (allow read, write: if true), but never deploy these to production. Instead, write rules that match your actual data access patterns and test them thoroughly in the Rules Playground before deploying.
// Security rules (too restrictive without matching query)rules_version = '2';service cloud.firestore { match /databases/{database}/documents { match /posts/{postId} { allow read: if request.auth.uid == resource.data.authorId; } }}// Query (missing the required where clause)const posts = await getDocs(collection(db, 'posts'));// Security rules (unchanged)rules_version = '2';service cloud.firestore { match /databases/{database}/documents { match /posts/{postId} { allow read: if request.auth.uid == resource.data.authorId; } }}// Query (now matches the security rule structure)const user = auth.currentUser;if (!user) throw new Error('User must be signed in');const posts = await getDocs( query( collection(db, 'posts'), where('authorId', '==', user.uid) ));Prevention tips
- Always use the Rules Playground in Firebase Console to test your security rules before deploying — it shows exactly why a request is allowed or denied
- Remember that Firestore rules are not filters: every query must structurally match the rules, including where clauses that mirror the rule conditions
- Wait for auth state to be fully initialized (use onAuthStateChanged) before making Firestore calls, as queries made before auth is ready will appear unauthenticated
- Never deploy allow read, write: if true rules to production — Firebase will email warnings and your data is exposed to anyone with your project ID
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I'm getting 'FirebaseError: Missing or insufficient permissions' in my web app. My Firestore security rules require authentication but my queries work in the Rules Playground. What are all the reasons this error could appear and how do I debug it systematically?
My Firebase app throws 'Missing or insufficient permissions' when reading from the posts collection. Here are my security rules and query code: [paste both]. Tell me why the rules are blocking the query and fix both the rules and the query.
Frequently asked questions
What causes "Error: Missing or insufficient permissions" in Firebase?
This error is caused by Firestore security rules blocking your operation. The most common reasons are: the user is not authenticated, the query does not structurally match the rules (missing a required where clause), or the rules were recently updated without matching query changes. Use the Rules Playground to diagnose exactly which rule is blocking the request.
Why does my query fail even though all documents belong to the current user?
Firestore rules are not filters. Even if every document matches your rule conditions, Firestore rejects any query that could theoretically return unauthorized data. If your rules check userId, your query must include .where('userId', '==', currentUser.uid) to structurally prove it will only access authorized documents.
How do I temporarily fix the permissions error for development?
Set your Firestore rules to allow read, write: if true for testing. However, never deploy these permissive rules to production. Firebase will send warning emails and your data will be publicly accessible. Always write proper rules before going live.
Does the permissions error appear differently on Android and iOS?
Yes. On web it appears as 'FirebaseError: Missing or insufficient permissions' with code permission-denied. On Android it is 'FirebaseFirestoreException: PERMISSION_DENIED'. On Flutter it is '[cloud_firestore/permission-denied]'. The cause and fix are the same across all platforms.
Can AI-generated code cause this Firebase permissions error?
Yes, this is extremely common. AI code generators frequently create Firestore queries without matching security rules, or generate permissive development rules that break when you add proper security. Always review and test both your rules and queries after using AI-generated code.
Can RapidDev help me set up proper Firestore security rules?
Yes. RapidDev can audit your Firestore security rules, ensure your queries match the rule structure, and implement role-based access control patterns that are both secure and performant. This is especially important for applications handling sensitive user data.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your issue.
Book a free consultation