Security Rules
This is a drop-in example of Firebase Security Rules designed for a typical chat application. You can copy and paste it in your project's Firebase console, Firestore service, Rules tab.
rules_version = '2';service cloud.firestore { match /databases/{database}/documents { // Function available for all collections // Checks that request is coming from an authenticated user function isSignedIn() { return request.auth != null; }
// Rules for the users collection match /users/{userId} { // Validates user's object format // Remove this if you don't plan to provide first or last names function isUserCorrect() { return isSignedIn() && request.resource.data.firstName is string && request.resource.data.lastName is string; }
// Checks that the document was created by currently logged in user function isSelf() { return request.auth.uid == userId; }
// Rules set for the users collection allow create: if isUserCorrect(); allow delete: if isSelf(); allow read: if isSignedIn(); allow update: if isUserCorrect() && isSelf(); }
// Rules for the rooms collection match /rooms/{roomId} { // Checks that currently logged in user exists in users collection function userExists() { return isSignedIn() && exists(/databases/$(database)/documents/users/$(request.auth.uid)); }
// Checks that currently logged in user is in the room function isUserInRoom() { return isSignedIn() && request.auth.uid in resource.data.userIds; }
// Validates room's object format function isRoomCorrect() { return request.resource.data.type is string && request.resource.data.userIds is list; }
// Rules set for the rooms collection allow create: if userExists() && isRoomCorrect(); allow delete, read, update: if isUserInRoom();
// Rules for the messages collection match /messages/{messageId} { // Checks that currently logged in user is in the room function isUserInRoomUsingGet() { return isSignedIn() && request.auth.uid in get(/databases/$(database)/documents/rooms/$(roomId)).data.userIds; }
// Validates message's object format function isMessageCorrect() { return request.resource.data.authorId is string && request.resource.data.createdAt is timestamp; }
// Checks that message's author is currently logged in user function isMyMessage() { return request.auth.uid == resource.data.authorId; }
// Rules set for the messages collection allow create: if isSignedIn() && isMessageCorrect(); allow delete, read: if isUserInRoomUsingGet(); allow update: if isUserInRoomUsingGet() && isMyMessage(); } } }}
To learn more head over to the Firebase Security Rules website.