0
0
FirebaseHow-ToBeginner · 4 min read

How to Write Firestore Security Rules: Simple Guide

To write Firestore security rules, define rules in the firestore.rules file using match blocks to specify database paths and allow statements to control read/write access. Use request.auth to check user identity and resource to check existing data before allowing operations.
📐

Syntax

Firestore security rules use match blocks to target database paths. Inside each match, use allow statements to specify which operations (read, write, get, list) are permitted. Conditions use request and resource objects to check user authentication and data state.

  • match: Defines the path in Firestore to apply rules.
  • allow: Grants permission for operations if conditions are true.
  • request.auth: Represents the user's authentication info.
  • resource: Represents the existing document data.
firebase
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /collection/{docId} {
      allow read, write: if <condition>;
    }
  }
}
💻

Example

This example allows only authenticated users to read and write their own user document in the users collection. It checks that the document ID matches the user's UID.

firebase
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
  }
}
Output
When deployed, only signed-in users can read or write their own user document; others are denied.
⚠️

Common Pitfalls

Common mistakes include:

  • Not checking request.auth, which can leave data open to anyone.
  • Using overly broad allow rules that grant too much access.
  • Forgetting to match the correct document path, causing rules not to apply.
  • Not testing rules with the Firebase Emulator or console.

Always test your rules to avoid accidental data exposure.

firebase
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Wrong: allows anyone to read/write all documents
    match /{document=**} {
      allow read, write: if true;
    }

    // Right: restrict access to authenticated users only
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }
}
📊

Quick Reference

Rule ElementDescriptionExample
rules_versionSpecifies the rules language versionrules_version = '2';
service cloud.firestoreDefines Firestore rules serviceservice cloud.firestore { ... }
matchTargets Firestore document pathsmatch /users/{userId} { ... }
allowGrants permission for operationsallow read, write: if condition;
request.authUser authentication inforequest.auth != null
resourceExisting document dataresource.data.owner == request.auth.uid

Key Takeaways

Always use match and allow to control access to Firestore paths.
Check request.auth to ensure users are authenticated before allowing access.
Test your rules with Firebase Emulator or console to avoid accidental data leaks.
Use specific path matching to limit access to only needed documents.
Avoid overly broad rules like allow read, write: if true; which open your database.

Related by keyword

How to Use Batch Write in Firestore: Simple GuideCloud FirestoreHow to Add a Document in Firestore: Simple GuideCloud FirestoreHow to Create a Collection in Firestore: Simple GuideCloud FirestoreHow to Delete a Document in Firestore: Simple GuideCloud FirestoreHow to Generate Auto ID in Firestore: Simple GuideCloud Firestore

Up next

What is Firestore Cache: Explanation and UsageWhat is Subcollection in Firestore: Explained SimplyHow to Delete Data in Firebase Realtime Database EasilyHow to Read Data from Firebase Realtime Database

More in Firestore Security Rules

Common Security Rules Patterns in Firebase: Best PracticesHow to Allow Authenticated Users Only in FirebaseHow to Allow Owner Only Access in Firebase: Simple GuideHow to Set Rules for Subcollection in Firebase Security Rules