0
0
FirebaseHow-ToBeginner · 4 min read

How to Allow Owner Only Access in Firebase: Simple Guide

To allow owner only access in Firebase, use Firebase Security Rules that check if the authenticated user's ID matches the owner's ID stored in your database. This ensures only the owner can read or write their data by comparing request.auth.uid with the owner's UID.
📐

Syntax

Firebase Security Rules use a JSON-like syntax to control access. The key parts are:

  • match: Defines the path in the database to protect.
  • allow: Specifies read or write permissions.
  • request.auth.uid: The ID of the authenticated user making the request.
  • resource.data.ownerId: The owner's user ID stored in the data.

Rules compare request.auth.uid with resource.data.ownerId to allow access only if they match.

firebase
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /items/{itemId} {
      allow read, write: if request.auth != null && request.auth.uid == resource.data.ownerId;
    }
  }
}
💻

Example

This example shows a Firestore rule that allows only the owner of a document to read or write it. The owner's ID is stored in the ownerId field of the document.

firebase
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
  }
}
Output
Only the authenticated user whose UID matches the document ID can read or write that document.
⚠️

Common Pitfalls

Common mistakes include:

  • Not checking if request.auth is null, which allows unauthenticated access.
  • Comparing request.auth.uid to the wrong field or path.
  • Storing the owner ID incorrectly or not updating it.

Always verify the owner ID is correctly set in your documents and your rules check authentication before comparing IDs.

firebase
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /items/{itemId} {
      // Wrong: allows anyone to read
      allow read: if true;
      // Correct: only owner can read and write
      allow read, write: if request.auth != null && request.auth.uid == resource.data.ownerId;
    }
  }
}
📊

Quick Reference

Tips for owner-only access in Firebase:

  • Always check request.auth != null to ensure user is signed in.
  • Store the owner's UID in a consistent field like ownerId.
  • Match the document path to the user ID when possible for simpler rules.
  • Test your rules using Firebase Emulator or console before deploying.

Key Takeaways

Use Firebase Security Rules to restrict access by comparing request.auth.uid with the owner's ID.
Always verify the user is authenticated before allowing access.
Store the owner's UID clearly in your data for reliable checks.
Test your security rules thoroughly to avoid accidental public access.

Related by keyword

How to Add Firebase to Next.js App: Simple Setup GuideGetting StartedHow to Add Firebase to React App: Simple Setup GuideGetting StartedHow to Delete User in Firebase: Simple GuideAuthenticationHow to Get Current User in Firebase: Simple GuideAuthenticationHow to Protect Routes Using Firebase Auth: Simple GuideAuthentication

Up next

What is Firestore Cache: Explanation and UsageWhat is Subcollection in Firestore: Explained SimplyHow to Delete Data in Firebase Realtime Database EasilyHow to Read Data from Firebase Realtime Database

More in Firestore Security Rules

Common Security Rules Patterns in Firebase: Best PracticesHow to Allow Authenticated Users Only in FirebaseHow to Set Rules for Subcollection in Firebase Security RulesHow to Test Security Rules in Firebase: Step-by-Step Guide