I've been receiving emails from Firebase saying my secure rules are secured, so I had to find how is the right way to make them secured.
Not recommended:
// Allow read/write access to all users under any conditions
// Warning: **NEVER** use this rule set in production; it allows
// anyone to overwrite your entire database.
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if true;
}
}
}
Recomended:
service cloud.firestore {
match /databases/{database}/documents {
// Assign roles to all users and refine access based on user roles
match /some_collection/{document} {
allow read: if request.auth != null && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == "Reader"
allow write: if request.auth != null && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == "Writer"
// Note: Checking for roles in your database using `get` (as in the code
// above) or `exists` carry standard charges for read operations.
}
}
}
Just after I try the recommended rules, my app stopped working for authenticated users and I had to keep the unsecured rules to allow the users to get back to use the app... Does anyone have any idea why it did happen?
CodePudding user response:
Try this
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
match /your_collecton_name/{your_documents} {
allow read,write: if request.auth != null
}
}
}