The purpose of this tutorial is to introduce you to Firestore Security Rules, a powerful feature in Firebase that allows you to control access to your Firestore database. By the end of this tutorial, you will understand what Firestore Security Rules are, how they are structured, and how to write and apply them in your Firestore database.
Basic familiarity with Firebase and Firestore is helpful but not necessary.
Firestore Security Rules are a set of conditions that you can specify to control who has read and write access to your Firestore database. They are written in an easy-to-understand syntax and can be customized for each document or collection in your database.
Here's a step-by-step guide to understanding and writing Firestore Security Rules:
The rules are organized into service blocks, match blocks, and allow expressions.
service cloud.firestore {
match /databases/{database}/documents {
// Match any document in the 'cities' collection
match /cities/{city} {
allow read, write: if <condition>;
}
}
}
Writing security rules involves specifying the service, matching the path, and allowing access based on a condition.
service cloud.firestore {
match /databases/{database}/documents {
match /cities/{city} {
allow read, write: if request.auth.uid != null;
}
}
}
In the above example, read and write operations are allowed only if the user is authenticated.
Here are some practical examples of Firestore Security Rules:
service cloud.firestore {
match /databases/{database}/documents {
match /cities/{city} {
allow read: if true;
allow write: if request.auth.uid != null;
}
}
}
In this example, any user, authenticated or not, can read the documents, but only authenticated users can write to the database.
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read, write: if request.auth.uid == userId;
}
}
}
In this example, only the owner of the document (the authenticated user with the same UID as the document ID) can read or write to the document.
In this tutorial, we've introduced Firestore Security Rules, explained how to structure them, and showed you how to write your own rules. Now you can control who can read and write your Firestore documents.
Write a rule that allows only authenticated users to read and write all documents in a collection named private.
Write a rule that only allows the owner of a document in the users collection to read and edit their own document, but allows anyone to create new documents.
Write a rule that only allows read and write operations on a document in the posts collection if the document contains a public field set to true.
Here are the solutions:
service cloud.firestore {
match /databases/{database}/documents {
match /private/{document} {
allow read, write: if request.auth.uid != null;
}
}
}
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow create: if true;
allow read, write: if request.auth.uid == userId;
}
}
}
service cloud.firestore {
match /databases/{database}/documents {
match /posts/{post} {
allow read, write: if resource.data.public == true;
}
}
}
Keep practicing by creating your own rules and testing them in different scenarios.