0
0
Firebasecloud~20 mins

Common rule patterns in Firebase - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Firebase Rules Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
service_behavior
intermediate
2:00remaining
Firebase Realtime Database: What does this rule allow?
Given the following Firebase Realtime Database security rule, what does it allow users to do?
{
  "rules": {
    "messages": {
      "$messageId": {
        ".read": "auth != null",
        ".write": "auth != null && auth.uid == data.child('owner').val()"
      }
    }
  }
}
AAny user can read and write any message regardless of authentication.
BAny authenticated user can read all messages, but only the owner can modify their own messages.
COnly the owner can read and write their messages; others cannot read any messages.
DAnyone can read messages, but only authenticated users can write.
Attempts:
2 left
💡 Hint
Look at the conditions for .read and .write separately.
Architecture
intermediate
2:00remaining
Firebase Firestore: How to structure rules for user profiles?
You want to allow users to read any profile but only edit their own profile in Firestore. Which rule structure achieves this?
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      // Fill in read and write rules
    }
  }
}
Aallow read: if true; allow write: if request.auth.uid == userId;
Ballow read, write: if request.auth.uid == userId;
Callow read: if request.auth.uid == userId; allow write: if true;
Dallow read, write: if true;
Attempts:
2 left
💡 Hint
Think about who should read and who should write.
security
advanced
2:00remaining
Firebase Realtime Database: What error occurs with this rule?
Consider this Firebase Realtime Database rule snippet:
{
  "rules": {
    "posts": {
      "$postId": {
        ".write": "auth.uid == newData.child('author').val()"
      }
    }
  }
}

What error will this cause when deploying?
ASyntaxError because 'auth.uid' should be 'auth.uid != null'
BRuntime error because 'newData' is undefined in write rules
CNo error; rule is valid and deploys successfully
DValidation error because 'newData' is not allowed; should use 'newData.exists()' first
Attempts:
2 left
💡 Hint
Check if 'newData' usage requires existence checks.
Best Practice
advanced
2:00remaining
Firestore Rules: Preventing unauthorized document deletion
Which Firestore rule best prevents users from deleting documents they do not own, while allowing them to update other fields?
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /items/{itemId} {
      allow update: if request.auth.uid == resource.data.owner;
      allow delete: ???
    }
  }
}
Aallow delete: if true;
Ballow delete: if request.auth.uid != null;
Callow delete: if request.auth.uid == resource.data.owner;
Dallow delete: if request.auth.uid == request.resource.data.owner;
Attempts:
2 left
💡 Hint
Who should be allowed to delete documents?
🧠 Conceptual
expert
2:00remaining
Firebase Security Rules: What is the effect of this rule order?
Consider these Firebase Realtime Database rules:
{
  "rules": {
    ".read": "auth != null",
    "users": {
      "$uid": {
        ".read": "auth.uid == $uid",
        ".write": "auth.uid == $uid"
      }
    }
  }
}

What is the effective read permission for the path /users/123 if the user is authenticated but their uid is not '123'?
AThe user can read /users/123 because the top-level .read allows any authenticated user.
BThe user cannot read /users/123 because the more specific rule denies access.
CThe user can read /users/123 only if they are the owner (uid == 123).
DThe user cannot read /users/123 because .read rules do not cascade.
Attempts:
2 left
💡 Hint
Remember how Firebase merges rules at different levels.