Firestore Security Rules Recipes — GoTut: Game and Other Tutorials

Here you will find some basic Firestore Security Rules Recipes. In particular, I try to cover some basic and useful code snippets and explanations, which should help to secure your Cloud Firestore Database.

First, you should keep in mind, that Firebase checks for the first allow, that is set to true. So, best practice is to give access where access is needed:

Write and Read

With read and write you can handle the basic actions. Consider the following code:

Everyone would be allowed to read your database but not write to it. So far, so clear. But, those basic actions can be further broken down:

read consists of:

write consists of:

This way you can further specify, who is allowed to do what exactly.

Basics of Firestore Security Rules

First, we should mention that request relates to incoming data, while resource relates to the existing data at a given location. So, the following would relate to data at a specific path:

While this, for example, would refer to the incoming authentication data:

Next, let us have a look at one basic functionality, which can be handy to know: is. Because with the keyword is you can check for a specific type. For example:

To specify, which path a rule is applied to, use the following:

Useful Firestore Security Rules

User authorization is an important issue for most apps. So, here you will find some useful code snippets, that deal with user authorization.

Allow Access to Signed-In Users

Only allow access, when the requesting user is signed in:

Allow the Owner of a Document Access

You can use this code snippet if you only want the owner of a document to be able to access a specific document (which must be named after the UID of the user):

If you do not want to give the document the name of the UID, then you can define the following rule (make sure, that the document has an uid field with the UID of the user):

Allow Access to Specific Documents

To give access to a specific field, you use the following: You can either have a string field, that for example says open:

Or, you can also have a boolean field called isOpen, etc.:

You can also specify another path and check there:

To check, if something exists, can also be useful (even though, this example here only checks, if the document, that should be read from, exists. So you can argue about the usefulness of that specific snippet):

More Information

You can find more information on the official Website. So, I hope, this was somewhat useful for you. Please, if it was, feel free to leave a comment. Also, you might be interested in reading some other posts on my website concerning Firestore. For example my Flutter Firestore Tutorial.

Originally published at on June 8, 2019.

In my spare time I work on Timeless Adventure — a fantasy adventure game

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store