Firebasecloud~5 mins

Role-based access control pattern in Firebase - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Role-based access control helps you decide who can do what in your app. It solves the problem of keeping your app safe by giving different permissions to different users based on their role.

When you want only admins to add or delete data in your Firebase database.

When you want regular users to read data but not change it.

When you want to restrict access to certain parts of your app based on user roles.

When you want to manage permissions easily without writing complex checks everywhere.

When you want to keep your app secure by limiting what users can do.

Config File - firestore.rules

firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    function isSignedIn() {
      return request.auth != null;
    }

    function isAdmin() {
      return request.auth != null && request.auth.token.role == 'admin';
    }

    match /{document=**} {
      allow read: if isSignedIn();
      allow write: if isAdmin();
    }
  }
}

This file sets rules for who can read and write data in Firestore.

allow read: lets any signed-in user read data.

allow write: only lets users with the 'admin' role write data.

isSignedIn() checks if the user is logged in.

isAdmin() checks if the user is logged in and has the admin role in their token.

Commands

This command uploads and activates the Firestore security rules to your Firebase project. It ensures your role-based access control is enforced.

Terminal

firebase deploy --only firestore:rules

Expected OutputExpected

=== Deploying to 'your-project-id'... i deploying firestore i firestore: releasing rules... ✔ firestore: rules released successfully ✔ Deploy complete!

→

--only firestore:rules - Deploys only Firestore security rules without affecting other Firebase services.

Starts the local Firestore emulator so you can test your security rules and role-based access control without affecting live data.

Terminal

firebase emulators:start --only firestore

Expected OutputExpected

i emulators: Starting emulators: firestore ✔ firestore emulator running at http://localhost:8080 All emulators started, it is now safe to connect your app.

→

--only firestore - Starts only the Firestore emulator.

Runs tests against your Firestore rules using a test file to check if role-based access control works as expected.

Terminal

firebase firestore:rules:test --rules=firestore.rules --file=tests.json

Expected OutputExpected

Running Firestore rules tests... Test 1: Read by signed-in user - PASSED Test 2: Write by admin user - PASSED Test 3: Write by regular user - FAILED 3 tests run, 2 passed, 1 failed

→

--rules - Specifies the rules file to test.

→

--file - Specifies the test cases file.

Key Concept

If you remember nothing else from this pattern, remember: assign roles in user tokens and enforce permissions in Firestore rules.

Common Mistakes

Not including role information in the user's authentication token.

Without role data, the rules cannot check permissions correctly, so access control fails.

Make sure to add the user's role to their auth token using Firebase Authentication custom claims.

Allowing write access to all signed-in users instead of only admins.

This lets unauthorized users change data, breaking security.

Use a function like isAdmin() in your rules to restrict write access only to admin roles.

Not testing rules locally before deploying.

Mistakes in rules can lock out users or expose data unintentionally.

Use the Firebase emulator and rules test commands to verify your access control before deploying.

Summary

Write Firestore security rules that check user roles in their auth token.

Deploy rules using 'firebase deploy --only firestore:rules' to enforce access control.

Test rules locally with the Firebase emulator and rules test commands to ensure correct permissions.