Firebase Security Rules - blog posts

Collection of Firebase Security Rules example snippets for my future use

Hypothetical blog app

posts/post_1
  - title: "first post"
  - content: "📮"
  - owner: "user_1"

users/user_1
  - id: "user_1"
  - email: "[email protected]"

What I want

1. All posts can be read by anyone
2. A post can be created by any authenticated user
3. A post can only be updated/deleted by the authenticated user who created the post

Security Rules for above

1. allow read; // anyone
2. allow create: request.auth != null; // authenticated user
3. allow update, delete: request.auth != null && request.auth.uid == resource.data.owner; // authenticated user who created the post (owner in this case)

Distinction between request and resource

• request is an incoming request (data) from path matched
• resource is the existing data in Firestore that will be evaluated against the set Security Rules

Put them into functions

function isAuthenticated() {
  return request.auth != null;
}

function isPostOwner() {
  return request.auth.uid == resource.data.owner;
}

Security Rules for blog app

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    
    // Match any document in the 'posts' collection
    match /posts/{postId} {
      allow read;
      allow create: if isAuthenticated();
      allow update, delete: if isAuthenticated() && isPostOwner();
    }
    
    // Match any document in the 'users' collection
    match /users/{userId} {
      allow read;
      allow write: if isAuthenticated() && isSameUser(userId);
    }
    
    function isAuthenticated() {
      return request.auth != null;
    }
    
    // request.resource.data: incoming data
    // resource.data: existing data
    function isPostOwner() {
      return request.auth.uid == resource.data.owner;
    }
    
    function isSameUser(userId) {
      return request.auth.uid == userId;
    }
       
  }
}