Skip to main content

Security Rules

This is a drop-in example of Firebase Security Rules designed for a typical chat application. You can copy and paste it in your project's Firebase console, Firestore service, Rules tab.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Function available for all collections
    // Checks that request is coming from an authenticated user
    function isSignedIn() {
      return request.auth != null;
    }

    // Rules for the users collection
    match /users/{userId} {
      // Validates user's object format
      // Remove this if you don't plan to provide first or last names
      function isUserCorrect() {
        return isSignedIn() && request.resource.data.firstName is string && request.resource.data.lastName is string;
      }

      // Checks that the document was created by currently logged in user
      function isSelf() {
        return request.auth.uid == userId;
      }

      // Rules set for the users collection
      allow create: if isUserCorrect();
      allow delete: if isSelf();
      allow read: if isSignedIn();
      allow update: if isUserCorrect() && isSelf();
    }

    // Rules for the rooms collection
    match /rooms/{roomId} {
      // Checks that currently logged in user exists in users collection
      function userExists() {
        return isSignedIn() && exists(/databases/$(database)/documents/users/$(request.auth.uid));
      }

      // Checks that currently logged in user is in the room
      function isUserInRoom() {
        return isSignedIn() && request.auth.uid in resource.data.userIds;
      }

      // Validates room's object format
      function isRoomCorrect() {
        return request.resource.data.type is string && request.resource.data.userIds is list;
      }

      // Rules set for the rooms collection
      allow create: if userExists() && isRoomCorrect();
      allow delete, read, update: if isUserInRoom();

      // Rules for the messages collection
      match /messages/{messageId} {
        // Checks that currently logged in user is in the room
        function isUserInRoomUsingGet() {
          return isSignedIn() && request.auth.uid in get(/databases/$(database)/documents/rooms/$(roomId)).data.userIds;
        }

        // Validates message's object format
        function isMessageCorrect() {
          return request.resource.data.authorId is string && request.resource.data.createdAt is timestamp;
        }

        // Checks that message's author is currently logged in user
        function isMyMessage() {
          return request.auth.uid == resource.data.authorId;
        }

        // Rules set for the messages collection
        allow create: if isSignedIn() && isMessageCorrect();
        allow delete, read: if isUserInRoomUsingGet();
        allow update: if isUserInRoomUsingGet() && isMyMessage();
      }
    }
  }
}

To learn more head over to the Firebase Security Rules website.