Firebasecloud~30 mins

Common rule patterns in Firebase - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Firebase Security Rules: Common Rule Patterns

📖 Scenario: You are building a simple Firebase Firestore database for a small blog app. You want to protect your data by writing security rules that control who can read and write posts.

🎯 Goal: Write Firebase security rules using common patterns to allow authenticated users to read all posts, but only allow users to create and update their own posts.

📋 What You'll Learn

Create a rules_version declaration with value '2'

Define a service cloud.firestore block

Allow read access to all documents in the posts collection for authenticated users

Allow write access only if the user is authenticated and the request.auth.uid matches the userId field in the document

Use common rule patterns like allow read: if request.auth != null; and allow write: if request.auth != null && request.auth.uid == resource.data.userId;

💡 Why This Matters

🌍 Real World

Firebase security rules protect your Firestore data from unauthorized access and changes, which is essential for any app with user-generated content.

💼 Career

Understanding and writing Firebase security rules is a key skill for cloud developers and backend engineers working with Firebase and Google Cloud.

Progress0 / 4 steps

Set up the basic rules structure

Create a Firebase security rules file starting with rules_version = '2'; and define the service cloud.firestore block with an empty match /databases/{database}/documents block.

Firebase

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Your code here
  }
}

Need a hint?

Start by declaring the rules version and the Firestore service block.

Add read access for authenticated users

Inside the match /databases/{database}/documents block, add a match /posts/{postId} block. Inside it, allow read access only if request.auth != null.

Firebase

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /posts/{postId} {
      // Your code here
    }
  }
}

Need a hint?

Use allow read: if request.auth != null; to permit reads only for signed-in users.

Add write access only for owners

Inside the match /posts/{postId} block, add a rule to allow write access only if the user is authenticated and their request.auth.uid matches the userId field in the existing document (resource.data.userId).

Firebase

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /posts/{postId} {
      allow read: if request.auth != null;
      // Your code here
    }
  }
}

Need a hint?

Check that the user is signed in and owns the post by comparing request.auth.uid with resource.data.userId.

Allow creating posts with user ownership

Modify the allow write rule to also allow creating new posts if the user is authenticated and the request.resource.data.userId matches request.auth.uid. This allows users to create posts where they are the owner.

Firebase

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /posts/{postId} {
      allow read: if request.auth != null;
      // Your code here
    }
  }
}

Need a hint?

Use request.resource.data.userId to check ownership on new documents and resource.data.userId for existing documents.