Firestore Database Security

Using Firebase: Firestore Database

I realised I’d messed up by not paying attention to the security rules, figuring I’d do them later. Now that I’m going back after making everything else, I’m quite confused as to how it works not sure what the technical words and labels actually mean. I’ve got somewhat of a clue of using the security settings to allow read and write for all authorised users but I wouldn’t want a user to be able to read everyone else’s data as well.

These are the links I’ve been reading up on and trying:
https://firebase.google.com/docs/storage/security/core-syntax?authuser=5
https://firebase.google.com/docs/rules/basics?authuser=5#cloud-firestore_3
https://firebase.google.com/docs/rules/rules-and-auth?authuser=5#cloud-firestore

https://firebase.google.com/docs/database/web/structure-data?hl=es

https://firebase.google.com/docs/firestore/use-rest-api

I’ve been testing trying to mix and match solutions no idea what I’m doing here:

Firestore database rules…

rules_version = ‘2’;
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow read: if request.auth.uid == request.resource.data.author_uid;
allow create: if request.auth.uid == request.resource.data.author_uid;
allow update, delete: if request.auth.uid == resource.data.author_uid;
}
}

Firestore database as follows…

data setup on appgyver…

creating a HTTP request to check…


![Screenshot 2021-06-21 at 21.31.46|690x331]
Screenshot 2021-06-21 at 21.31.56

If anyone could point me in the right direction and the places I’m going wrong I would be very grateful. Thank you.

We’re working on something significantly more integrated for Firebase with documentation, which should help with this!

2 Likes

Thank you Harri, looking forward to reading it.
I’ve actually been looking at it more today and I think now understand setting up the Firestore Security rules but I’m having a problem with the appgyver side of things.

this is the firestore security rules I’ve implemented:
rules_version = ‘2’;
service cloud.firestore {

match /databases/{database}/documents {

match /test/{test=**} {
  allow read: if request.auth.token.email_verified && request.resource.data.uid == request.auth.uid ;
  allow write: if request.auth.token.email_verified ;

}
}
}

and I’ve set up a http POST request like so to check if it works:



The http request doesn’t go through but it also doesn’t give me an error message either. I’ve checked using a toast as well as saving the negative output of the http to a page variable which I checked in the debugger and it still remains empty.

nvm i’ve got it now (so far), whilst I can’t get it to work with a http request, the pre-installed requests under “Data” work fine. nonetheless I look forward to the upcoming documentation :slight_smile: