Process Flow - Common rule patterns
Start Request
Match Request Path
Check Rule Conditions
Allow
End Request
A request comes in, matches a path, checks conditions, then allows or denies access.
0
0
Common rule patterns in Firebase - Step-by-Step Execution
Execution Sample
Firebase
match /documents/{docId} {
allow read: if request.auth != null;
allow write: if request.auth.uid == resource.data.owner;
}This rule allows reading if the user is logged in, and writing only if the user owns the document.
Process Table
| Step | Request Path | Condition Checked | Condition Result | Access Decision |
|---|---|---|---|---|
| 1 | /documents/abc123 | request.auth != null | true | Allow read |
| 2 | /documents/abc123 | request.auth.uid == resource.data.owner | false | Deny write |
| 3 | /documents/abc123 | request.auth != null | false | Deny read |
| 4 | /documents/abc123 | request.auth.uid == resource.data.owner | true | Allow write |
💡 Access decision made based on condition results for read or write.
Status Tracker
| Variable | Start | After Step 1 | After Step 2 | After Step 3 | After Step 4 |
|---|---|---|---|---|---|
| request.auth | null or object | object (logged in) | object (logged in) | null | object (logged in) |
| request.auth.uid | undefined | user123 | user123 | undefined | user123 |
| resource.data.owner | user123 | user123 | user456 | user123 | user123 |
Key Moments - 3 Insights
Why does a read request get denied even if the user is logged in?
If request.auth is null (user not logged in), the condition 'request.auth != null' fails, so read access is denied as shown in step 3 of the execution table.
Why can a user read but not write the same document?
Read requires only that the user is logged in (request.auth != null), but write requires the user ID to match the document owner. If they don't match, write is denied (step 2).
What happens if the request path does not match any rule?
No matching rule means no access is granted, so the request is denied by default.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the access decision at step 2?
💡 Hint
Check the 'Access Decision' column in row 2 of the execution table.
At which step does the condition 'request.auth != null' evaluate to false?
💡 Hint
Look at the 'Condition Result' column for 'request.auth != null' in the execution table.
If the resource.data.owner changes to 'user123' at step 2, what would happen to the write access decision?
💡 Hint
Compare 'request.auth.uid' and 'resource.data.owner' values in variable_tracker after step 2.
Concept Snapshot
Firebase rules check requests by matching paths and conditions. Use 'allow' with conditions like 'request.auth != null' to control access. Read and write can have different conditions. If no rule matches or condition fails, access is denied. Rules protect data by verifying user identity and ownership.
Full Transcript
Firebase security rules work by matching the incoming request path to defined rules. Then, each rule checks conditions such as whether the user is logged in or owns the data. If the condition is true, access is allowed; otherwise, it is denied. For example, a read request is allowed if the user is authenticated, while a write request requires the user to be the owner of the document. If no rules match or conditions fail, access is denied by default. This ensures data is protected and only accessible to authorized users.