0
0
GcpHow-ToBeginner · 3 min read

How to Use Firestore Security Rules for Data Protection

Use Firestore Security Rules to control who can read or write data in your Firestore database by defining conditions based on user identity and data. Write rules in a simple syntax that checks requests and data before allowing access.
📐

Syntax

Firestore security rules use a simple structure with match blocks to specify database paths and allow statements to define permissions. You can check read and write actions and add conditions using request.auth (user info) and resource.data (existing data).

Key parts:

  • service cloud.firestore: Starts the rules for Firestore.
  • match /databases/{database}/documents: Applies rules to documents.
  • match /collection/{docId}: Targets a specific collection and document.
  • allow read, write: if condition;: Grants access if the condition is true.
firestore-security-rules
service cloud.firestore {
  match /databases/{database}/documents {
    match /collection/{docId} {
      allow read, write: if <condition>;
    }
  }
}
💻

Example

This example allows only authenticated users to read and write their own user document in the users collection. It checks that the user ID matches the document ID.

firestore-security-rules
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
  }
}
Output
If a user is signed in and tries to access their own document in 'users', access is allowed; otherwise, it is denied.
⚠️

Common Pitfalls

Common mistakes include:

  • Not checking request.auth, which can allow anyone to access data.
  • Using overly broad rules like allow read, write: if true; that open your database.
  • Forgetting to secure subcollections or nested documents.
  • Not testing rules with the Firestore emulator or Firebase console.
firestore-security-rules
service cloud.firestore {
  match /databases/{database}/documents {
    // Wrong: allows anyone to read and write
    match /public/{docId} {
      allow read, write: if true;
    }

    // Right: only authenticated users can read
    match /public/{docId} {
      allow read: if request.auth != null;
      allow write: if false;
    }
  }
}
📊

Quick Reference

Rule ElementDescriptionExample
service cloud.firestoreStarts Firestore rulesservice cloud.firestore { ... }
matchTargets database pathsmatch /users/{userId} { ... }
allowGrants read/write if condition trueallow read: if request.auth != null;
request.authUser authentication inforequest.auth.uid == userId
resource.dataCurrent document dataresource.data.owner == request.auth.uid

Key Takeaways

Always check user identity with request.auth to protect data.
Use match blocks to target specific collections or documents.
Test your rules with Firebase tools before deploying.
Avoid open rules like 'allow read, write: if true;' to prevent data leaks.
Use conditions to limit access based on user ID or data fields.

Related by keyword

How to Export Data from BigQuery: Simple Steps and ExamplesBigQueryHow to Load Data into BigQuery: Simple Steps and ExamplesBigQueryHow to Query Data in BigQuery: Simple GuideBigQueryHow to Encrypt Data Using KMS in GCP: Simple GuideSecurityWhat is Security Command Center in GCP: Overview and Use CasesSecurity

Up next

Materialized View in BigQuery: Definition and UsageWhat is Slot in BigQuery: Explanation and UsageHow to Create Subscription in Google Cloud Pub/SubHow to Create a Topic in Google Cloud Pub/Sub

More in Firestore

Firestore vs DynamoDB: Key Differences and When to Use EachFirestore vs Realtime Database: Key Differences and When to Use EachHow to Add a Document to Firestore: Simple GuideHow to Create Firestore Database on Google Cloud Platform