Firebasecloud~5 mins

Rule syntax and structure in Firebase - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Firebase security rules control who can read or write data in your database. They use a simple structure to define permissions based on conditions.

When you want to protect your Firebase database from unauthorized access

When you need to allow users to read or write only their own data

When you want to enforce data validation before saving it

When you want to restrict access based on user authentication status

When you want to control access to specific parts of your database

Config File - firestore.rules

firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
    match /public/{document=**} {
      allow read: if true;
      allow write: if false;
    }
  }
}

rules_version: Specifies the version of the rules syntax.

service cloud.firestore: Defines rules for Firestore database.

match /databases/{database}/documents: Applies rules to all documents in the database.

match /users/{userId}: Matches documents in the users collection, allowing read and write only if the user is authenticated and owns the data.

match /public/{document=**}: Matches all documents in the public collection, allowing anyone to read but no one to write.

Commands

Deploys the Firestore security rules to your Firebase project to enforce access control.

Terminal

firebase deploy --only firestore:rules

Expected OutputExpected

=== Deploying to 'your-project-id'... i deploying firestore ✔ firestore: rules deployed successfully ✔ Deploy complete!

→

--only firestore:rules - Deploy only Firestore security rules without affecting other Firebase services

Starts the local Firestore emulator to test your security rules without affecting the live database.

Terminal

firebase emulators:start --only firestore

Expected OutputExpected

i emulators: Starting emulators: firestore ✔ firestore emulator running at http://localhost:8080 All emulators started, it is now safe to connect.

→

--only firestore - Start only the Firestore emulator

Runs tests against your Firestore rules using a test file to verify permissions work as expected.

Terminal

firebase firestore:rules:test --rules=firestore.rules --file=tests.json

Expected OutputExpected

Running Firestore rules tests... All tests passed successfully.

Key Concept

If you remember nothing else from this pattern, remember: Firebase rules use simple match blocks and conditions to control who can read or write your data.

Common Mistakes

Writing rules without checking if the user is authenticated

This allows anyone to access or modify your data, causing security risks.

Always include a condition like 'request.auth != null' to ensure only logged-in users can access data.

Using incorrect path variables in match statements

Rules won't apply correctly, leading to unexpected access or denials.

Use curly braces {} to capture variables and reference them properly in conditions.

Not deploying updated rules after changes

Your changes won't take effect, leaving old rules active.

Run 'firebase deploy --only firestore:rules' every time you update your rules.

Summary

Write Firebase rules using match blocks to specify which documents they apply to.

Use conditions inside allow statements to control read and write access.

Deploy rules with 'firebase deploy --only firestore:rules' to enforce them.