DEV Community

Cover image for Firebase Firestore Security Rules Tutorial
Akash Kumar Mallick
Akash Kumar Mallick

Posted on

Firebase Firestore Security Rules Tutorial

Introduction

Firestore security rules play a crucial role in protecting your data and defining access permissions for users of your application. In this tutorial, we'll explore how to write security rules for a Firestore database, using a hypothetical blogging application as an example.

Requirements:

  • Firebase project with Firestore database.
  • Basic understanding of Firestore collections and documents.
  • Authentication implemented (for user roles).

Scenario

In our blogging application, we have three main collections:

  1. comments: Contains comments on blog posts.
  2. projects: Stores information about various projects.
  3. certificates: Holds details about certificates earned by users.

Step 1: Basic Setup

Assuming you have already set up your Firebase project and initialized Firestore, let's create a basic security rule structure.

rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
    // Your rules will go here
  }
}
Enter fullscreen mode Exit fullscreen mode

Step 2: Allowing Read and Write for Comments

Let's start by allowing read and write access for the "comments" collection.

match /databases/{database}/documents {
  match /comments/{commentId} {
    allow read, write: if true;
  }
}
Enter fullscreen mode Exit fullscreen mode

This rule allows any user to read and write comments. However, in a real-world scenario, you may want to restrict access based on user roles or other conditions.

Step 3: Restricting Write Access for Projects

Next, let's allow read access but deny write access for the "projects" collection.

match /projects/{projectId} {
  allow read: if true;
  allow write: if false;
}
Enter fullscreen mode Exit fullscreen mode

This ensures that users can only read project information but cannot modify it directly.

Step 4: Admin-Only Write Access for Certificates

For the "certificates" collection, let's grant write access only to users with an "admin" role.

match /certificates/{certificateId} {
  allow read: if true;
  allow write: if request.auth != null && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'admin';
}
Enter fullscreen mode Exit fullscreen mode

This rule checks if the request is from an authenticated user and if that user has an "admin" role.

Conclusion

Writing Firestore security rules requires careful consideration of your application's requirements. Always ensure that your rules provide the necessary security without compromising functionality. Regularly test and iterate on your rules as your application evolves.

Remember to deploy your rules to your Firebase project using the Firebase CLI or the Firebase console.

This tutorial provides a basic starting point, and you should adapt the rules based on your specific use case and user authentication implementation.

Happy coding!

Top comments (0)