is it risky to keep firebase firestore & storage security rules (allow read , write = true) for a lo-CodePudding

im building a Flutter Application for managing tasks and storing clients data on firebase firestore but i have no experience with configuring firebase security rules.

so is it a must to learn about firebase security rules and configure them or its okay to allow read and write with no security rules knowing that the application will be downloaded and used locally only on employees phones (15 person) and permissions on making changes to Documents in cloudFirestore are managed through the signed in user role from the flutter App ?

if its risky what kind of risks i might be facing ?

CodePudding user response：

if you are talking about firebase DBs (e.g. firestore) or storage you must always add security rules depending on what you expect each user to read or write. Your backend can be accessed through other client API e.g. web api so security rules are important.

Firebase uses a domain specific language based on Common Expression Language (CEL). the general structure is :

service << name >>  {
  // Match the resource path.
  match << path >>  {
      // Allow the request if the following conditions are true.
      allow << methods >> : if << condition >>;
  }
}

A very basic rules is to allow any user to read but only authenticated users to write this can be written as follow:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {     
     allow read; // allow read to all users
     allow write: if request.auth != null; // allow write only to authenticated 
    }
  }
}