Firebase Security Rules

ByMd Shakil Ahamed
Firebase Security Rules

1. Messaging / Chat Apps

  • Example: WhatsApp-like app, group chat app.
  • Rules Focus:
    • Users can read messages only if they are part of the chat.
    • Users can write messages only in chats they belong to.
    • Often involves per-user access control and timestamps.

Why different: You need fine-grained access control to prevent users from reading other users’ messages.

Copy and paste the code below exactly in Firebase:

rules_version = ‘2’;service cloud.firestore {  match /databases/{database}/documents {
    // Chats collection    match /chats/{chatId} {      // Only users in the chat can read/write messages      allow read, write: if request.auth != null                          && request.auth.uid in resource.data.participants;    }
    // Messages inside chats    match /chats/{chatId}/messages/{messageId} {      allow read, write: if request.auth != null                         && request.auth.uid in get(/databases/$(database)/documents/chats/$(chatId)).data.participants;    }  }}

2. Social Media Apps

  • Example: Instagram, Twitter clone.
  • Rules Focus:
    • Public posts: anyone can read, only the author can write/delete.
    • Private posts: read/write only by specific users.
    • Rules may depend on user relationships (friends, followers).

Why different: Read access depends on user relationships, not just the document ID.

Copy and paste the code below exactly in Firebase:

rules_version = ‘2’;service cloud.firestore {  match /databases/{database}/documents {
    // Posts collection    match /posts/{postId} {      allow read: if resource.data.isPublic == true                   || request.auth.uid in resource.data.allowedUsers;      allow write, delete: if request.auth != null                            && request.auth.uid == resource.data.authorId;    }
    // Comments subcollection    match /posts/{postId}/comments/{commentId} {      allow read: if true;      allow write: if request.auth != null;    }  }}
Firebase Security Rules

3. E-commerce / Inventory Apps

  • Example: Online store, stock management.
  • Rules Focus:
    • Users can read products.
    • Only admins can write/update/delete products.
    • Users can write orders, but only for themselves.

Why different: Role-based access control is key (admin vs customer).

Copy and paste the code below exactly in Firebase:

rules_version = ‘2’;service cloud.firestore {  match /databases/{database}/documents {
    // Products: only admins can modify    match /products/{productId} {      allow read: if true;      allow write, delete: if request.auth != null && request.auth.token.admin == true;    }
    // Orders: users can only write their own    match /orders/{orderId} {      allow read, write: if request.auth != null && request.auth.uid == resource.data.userId;    }  }}

4. Finance / Banking Apps

  • Example: Payment, wallet, or transaction tracker.
  • Rules Focus:
    • Users can read/write only their own accounts and transactions.
    • Admins may have full access.
    • High focus on security and privacy.

Why different: Very sensitive data requires strict per-user restrictions.

Copy and paste the code below exactly in Firebase:

rules_version = ‘2’;service cloud.firestore {  match /databases/{database}/documents {
    // Accounts: users can only access their own    match /accounts/{accountId} {      allow read, write: if request.auth != null && request.auth.uid == resource.data.userId;    }
    // Transactions: same rule    match /transactions/{transactionId} {      allow read, write: if request.auth != null && request.auth.uid == resource.data.userId;    }  }}

5. Educational / Content Apps

  • Example: Quiz apps, learning platforms.
  • Rules Focus:
    • Students can read content assigned to them.
    • Teachers/admins can create/update content.

Why is it different: Access depends on roles and content assignment.

Copy and paste the code below exactly in Firebase:

rules_version = ‘2’;service cloud.firestore {  match /databases/{database}/documents {
    // Courses collection    match /courses/{courseId} {      allow read: if request.auth != null                   && request.auth.uid in resource.data.enrolledStudents;      allow write: if request.auth != null && request.auth.token.teacher == true;    }
    // Assignments inside courses    match /courses/{courseId}/assignments/{assignmentId} {      allow read: if request.auth != null                   && request.auth.uid in get(/databases/$(database)/documents/courses/$(courseId)).data.enrolledStudents;      allow write: if request.auth != null && request.auth.token.teacher == true;    }  }}

Leave a Reply

Your email address will not be published. Required fields are marked *