Firestore Security Rules Recipes — GoTut: Game and Other Tutorials

Here you will find some basic Firestore Security Rules Recipes. In particular, I try to cover some basic and useful code snippets and explanations, which should help to secure your Cloud Firestore Database.

First, you should keep in mind, that Firebase checks for the first allow, that is set to true. So, best practice is to give access where access is needed:

service cloud.firestore { match /databases/{database}/documents { // here will be your rules // that grant access to specific documents of collections } }

Write and Read

With read and write you can handle the basic actions. Consider the following code:

service cloud.firestore { 
match /databases/{database}/documents {
match /{document=**} {
allow write: if false;
allow read: if true;
}
}
}

Everyone would be allowed to read your database but not write to it. So far, so clear. But, those basic actions can be further broken down:

read consists of:

get // allows to get a specific document 
list // allows to read or query a collection

write consists of:

create // allows to create a document 
delete // allows to delete a document
update // allows to update a document

This way you can further specify, who is allowed to do what exactly.

Basics of Firestore Security Rules

First, we should mention that request relates to incoming data, while resource relates to the existing data at a given location. So, the following would relate to data at a specific path:

resource.data

While this, for example, would refer to the incoming authentication data:

request.auth

Next, let us have a look at one basic functionality, which can be handy to know: is. Because with the keyword is you can check for a specific type. For example:

resource.data.name is string

To specify, which path a rule is applied to, use the following:

match /{document=**} // the rules apply to all sub-collections match /product/xyz // the rules apply to this specific path match /product/{productId} // the rules apply to this yet-to-be path

Useful Firestore Security Rules

User authorization is an important issue for most apps. So, here you will find some useful code snippets, that deal with user authorization.

Allow Access to Signed-In Users

Only allow access, when the requesting user is signed in:

match /profile/{profileID} { 
allow read: if request.auth != null;
}

Allow the Owner of a Document Access

You can use this code snippet if you only want the owner of a document to be able to access a specific document (which must be named after the UID of the user):

match /accounts/{userID} { 
allow read, write: if isOwnerOf(userID);
}
function isOwnerOf(userID) {
return request.auth.uid == userID
}

If you do not want to give the document the name of the UID, then you can define the following rule (make sure, that the document has an uid field with the UID of the user):

match /accounts/{userID} { 
allow read, write: if isOwnerOf(userID);
}
function isOwnerOf(userID) {
return request.auth.uid == resource.data.uid;
}

Allow Access to Specific Documents

To give access to a specific field, you use the following: You can either have a string field, that for example says open:

match /collection/{docID} { 
allow read: if resource.data.status == 'open';
}

Or, you can also have a boolean field called isOpen, etc.:

match /collection/{docID} { 
allow read: if resource.data.isOpen;
}

You can also specify another path and check there:

match /collection/{docID} { 
allow read: if get(/databases/$(database)/documents/otherCollection/$(docID)).data.isOpen;
}

To check, if something exists, can also be useful (even though, this example here only checks, if the document, that should be read from, exists. So you can argue about the usefulness of that specific snippet):

match /collection/{docID} { 
allow read: if exists(/databases/$(database)/documents/collection/$(docID));
}

More Information

You can find more information on the official Website. So, I hope, this was somewhat useful for you. Please, if it was, feel free to leave a comment. Also, you might be interested in reading some other posts on my website concerning Firestore. For example my Flutter Firestore Tutorial.

Originally published at https://www.gotut.net on June 8, 2019.

--

--

--

In my spare time I work on Timeless Adventure — a fantasy adventure game

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Free Time Dev

Free Time Dev

In my spare time I work on Timeless Adventure — a fantasy adventure game

More from Medium

Tales of a Fantastic Flutter Fantasy

What is the default font family of a Flutter app?

How IoT App Development Services Are Cheering For Flutter Framework?

My First Journey to a BLoC Planet | BLoC For Beginners