Firebasecloud~5 mins

Read and write permissions in Firebase - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Firebase security rules control who can read or write data in your database. They protect your data from unauthorized access and changes.

When you want only logged-in users to read their own data.

When you want to prevent anyone from deleting data accidentally.

When you want to allow public read but restrict write access to admins.

When you want to test your app with open access during development.

When you want to secure sensitive information from being read by others.

Config File - firestore.rules

firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Allow read/write only if user is authenticated
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
    // Allow read to everyone, write only to admins
    match /publicData/{docId} {
      allow read: if true;
      allow write: if request.auth != null && request.auth.token.admin == true;
    }
  }
}

This file sets rules for Firestore database access.

The users/{userId} path allows only the user with matching ID to read and write their data.

The publicData/{docId} path allows anyone to read but only authenticated admins to write.

Commands

This command uploads and activates the security rules to your Firebase project to enforce read and write permissions.

Terminal

firebase deploy --only firestore:rules

Expected OutputExpected

=== Deploying to 'your-project-id'... ✔ firestore: rules: firestore.rules ✔ Deploy complete! Project Console: https://console.firebase.google.com/project/your-project-id/overview

→

--only firestore:rules - Deploy only Firestore security rules without affecting other services

Starts the local Firestore emulator to test your security rules without affecting live data.

Terminal

firebase emulators:start --only firestore

Expected OutputExpected

i emulators: Starting emulators: firestore ✔ firestore emulator running at http://localhost:8080 ⚠ firestore: The rules file firestore.rules was loaded successfully

→

--only firestore - Run only the Firestore emulator

Runs tests against your Firestore security rules using a test file to verify read and write permissions.

Terminal

firebase firestore:rules:test --rules=firestore.rules --file=rules_test.json

Expected OutputExpected

PASS 3 tests, FAIL 0 tests All security rules tests passed successfully.

Key Concept

If you remember nothing else from this pattern, remember: security rules must explicitly allow read or write access based on user identity or roles to protect your data.

Common Mistakes

Allowing read or write access without checking if the user is authenticated.

This lets anyone read or change your data, risking data leaks or corruption.

Always check if request.auth is not null before allowing access.

Using overly broad rules like 'allow read, write: if true;' in production.

This removes all protection and exposes your database to the public.

Use specific conditions that limit access to authorized users only.

Not testing rules locally before deploying.

Mistakes in rules can cause your app to break or expose data unintentionally.

Use the Firebase emulator and rules test commands to verify rules before deployment.

Summary

Write security rules in firestore.rules to control who can read and write data.

Deploy rules using 'firebase deploy --only firestore:rules' to activate them.

Test rules locally with Firebase emulators and rule test commands before deploying.