Firebase: permission_denied at /: Client doesn't have permission

Educational use only. Content explains errors and defensive fixes for systems you own or are authorised to test. Do not use any technique here to access data, accounts, or networks without permission.

Root Cause

This error is thrown by Firebase Realtime Database or Cloud Firestore when a client application attempts to read or write data, but the security rules configured on the database deny the operation. By default, newly created Firebase databases have strict rules that deny all reads and writes unless the user is authenticated. If your frontend app attempts to fetch data without a valid auth token, or tries to write to a path restricted by the rules, this error is the result.

Fix / Solution

You must update your Firebase Security Rules in the Firebase Console. During prototyping, developers sometimes set the rules to allow all (`allow read, write: if true;`), but this is extremely dangerous for production. The correct approach is to write rules that check the user's authentication state (e.g., `if request.auth != null;`) and ensure users can only modify their own data documents.

Code Snippet

// ❌ Firebase Rules (Default: locked down)
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

// ✅ Firebase Rules (Allow authenticated users to read/write)
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      // Only allow users to read/write their own document
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
  }
}