Firestore Security Rules Recipes

Firestore Security Rules Recipes



Here you will find some basic Firestore Security Rules Recipes. In particular, I try to cover some basic and useful code snippets and explanations, which should help to secure your Cloud Firestore Database.

First, you should keep in mind, that Firebase checks for the first allow, that is set to true. So, best practice is to give access where access is needed:

service cloud.firestore {
  match /databases/{database}/documents {    
    // here will be your rules 
    // that grant access to specific documents of collections
  }
}

Write and Read

With read and write you can handle the basic actions. Consider the following code:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow write: if false;
      allow read: if true;
    }
  }
}

Everyone would be allowed to read your database but not write to it. So far, so clear. But, those basic actions can be further broken down:

read consists of:

get // allows to get a specific document
list // allows to read or query a collection 

write consists of:

create // allows to create a document
delete // allows to delete a document
update // allows to update a document

This way you can further specify, who is allowed to do what exactly.

Basics of Firestore Security Rules

First, we should mention that request relates to incoming data, while resource relates to the existing data at a given location. So, the following would relate to data at a specific path:

resource.data

While this, for example, would refer to the incoming authentication data:

request.auth

Next, let us have a look at one basic functionality, which can be handy to know: is. Because with the keyword is you can check for a specific type. For example:

resource.data.name is string 

To specify, which path a rule is applied to, use the following:

match /{document=**} // the rules apply to all sub-collections
match /product/xyz // the rules apply to this specific path
match /product/{productId} // the rules apply to this yet-to-be path

Useful Firestore Security Rules

User authorization is an important issue for most apps. So, here you will find some useful code snippets, that deal with user authorization.

Allow Access to Signed-In Users

Only allow access, when the requesting user is signed in:

match /profile/{profileID} {
    allow read: if request.auth != null;
}

Allow the Owner of a Document Access

You can use this code snippet if you only want the owner of a document to be able to access a specific document (which must be named after the UID of the user):

match /accounts/{userID} {
    allow read, write: if isOwnerOf(userID);
}

function isOwnerOf(userID) {
    return request.auth.uid == userID
}

If you do not want to give the document the name of the UID, then you can define the following rule (make sure, that the document has an uid field with the UID of the user):

match /accounts/{userID} {
    allow read, write: if isOwnerOf(userID);
}

function isOwnerOf(userID) {
    return request.auth.uid == resource.data.uid;
}

Allow Access to Specific Documents

To give access to a specific field, you use the following: You can either have a string field, that for example says open:

match /collection/{docID} {
    allow read: if resource.data.status == 'open';
}

Or, you can also have a boolean field called isOpen, etc.:

match /collection/{docID} {
    allow read: if resource.data.isOpen;
}

You can also specify another path and check there:

match /collection/{docID} {
    allow read: if get(/databases/$(database)/documents/otherCollection/$(docID)).data.isOpen;
}

To check, if something exists, can also be useful (even though, this example here only checks, if the document, that should be read from, exists. So you can argue about the usefulness of that specific snippet):

match /collection/{docID} {
    allow read: if exists(/databases/$(database)/documents/collection/$(docID));
}

More Information

You can find more information on the official Website. So, I hope, this was somewhat useful for you. Please, if it was, feel free to leave a comment. Also, you might be interested in reading some other posts on my website concerning Firestore. For example my Flutter Firestore Tutorial.


QRChat

Firestore Security Rules Recipes
Firestore Security Rules Recipes

Share

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment