Firebasecloud~5 mins

Common rule patterns in Firebase - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Firebase rules control who can read or write data in your database. They help keep your data safe by setting clear permissions.

When you want only logged-in users to read or write their own data.

When you want to allow public read access but restrict writes to admins.

When you want to validate data before it is saved to the database.

When you want to organize rules by user roles like admin, editor, or viewer.

When you want to prevent users from deleting data they do not own.

Config File - firestore.rules

firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Allow users to read and write their own profile
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }

    // Allow anyone to read public posts, but only owners can write
    match /posts/{postId} {
      allow read: if true;
      allow write: if request.auth != null && request.auth.uid == request.resource.data.ownerId;
    }

    // Admins can read and write everything
    match /{document=**} {
      allow read, write: if request.auth != null && request.auth.token.admin == true;
    }
  }
}

This file sets rules for Firestore database access.

users/{userId}: Users can only access their own profile data.
posts/{postId}: Anyone can read posts, but only the owner can write.
{document=**}: Admin users can read and write all data.

Commands

This command uploads and activates your Firestore security rules to protect your database.

Terminal

firebase deploy --only firestore:rules

Expected OutputExpected

=== Deploying to 'my-firebase-project'... i deploying firestore ✔ firestore: rules updated successfully ✔ Deploy complete!

→

--only firestore:rules - Deploys only the Firestore security rules without affecting other Firebase services.

Starts the local Firestore emulator so you can test your rules safely on your computer.

Terminal

firebase emulators:start --only firestore

Expected OutputExpected

i emulators: Starting emulators: firestore ✔ firestore: Emulator started at http://localhost:8080 All emulators started, it is now safe to connect.

→

--only firestore - Runs only the Firestore emulator without starting other Firebase emulators.

Runs tests against your Firestore rules using a test file to check if permissions work as expected.

Terminal

firebase firestore:rules:test --rules=firestore.rules --file=tests/read_write_test.json

Expected OutputExpected

PASS 3 tests, FAIL 0 tests All tests passed successfully.

→

--rules - Specifies the rules file to test.

→

--file - Specifies the test cases file.

Key Concept

If you remember nothing else from this pattern, remember: Firebase rules protect your data by clearly defining who can read or write each part.

Common Mistakes

Allowing write access without checking user identity.

Anyone could change or delete data, causing security risks.

Always check that request.auth.uid matches the data owner before allowing writes.

Using 'allow read: if true;' on sensitive data.

This makes private data visible to everyone.

Restrict read access to authenticated users or specific roles.

Not deploying updated rules after changes.

Your database remains unprotected or uses old rules.

Run 'firebase deploy --only firestore:rules' after editing rules.

Summary

Write rules to control who can read or write each part of your Firestore database.

Deploy rules using 'firebase deploy --only firestore:rules' to activate them.

Test rules locally with the Firestore emulator before deploying to production.