-
-
Notifications
You must be signed in to change notification settings - Fork 14
Firestore Database Security Rules
Marcin Ufniarz edited this page Feb 13, 2024
·
6 revisions
This document outlines the updated security rules for our Firestore Database, aligning with our new collection structure and security needs. These rules are crafted to safeguard data integrity and security, while facilitating appropriate access for various user interactions.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Accounts Collection
match /accounts/{accountId} {
// Account ownership verification
function isAccountOwner() {
return request.auth != null && request.auth.uid == accountId;
}
// Access for friends
function isAcceptedFriend() {
return request.auth != null &&
exists(/databases/$(database)/documents/accounts/$(accountId)/relatedAccounts/$(request.auth.uid)) &&
get(/databases/$(database)/documents/accounts/$(accountId)/relatedAccounts/$(request.auth.uid)).data.status == 'accepted' &&
get(/databases/$(database)/documents/accounts/$(accountId)/relatedAccounts/$(request.auth.uid)).data.relationship == 'friend';
}
// Access for group members
function isAcceptedGroupMember() {
return request.auth != null &&
exists(/databases/$(database)/documents/accounts/$(accountId)/relatedAccounts/$(request.auth.uid)) &&
get(/databases/$(database)/documents/accounts/$(accountId)/relatedAccounts/$(request.auth.uid)).data.status == 'accepted' &&
get(/databases/$(database)/documents/accounts/$(accountId)/relatedAccounts/$(request.auth.uid)).data.relationship == 'member';
}
// Public access for groups
function isPublicGroup() {
return resource.data.privacy == 'public' && resource.data.type == 'group';
}
// Public access for users
function isPublicUser() {
return resource.data.privacy == 'public' && resource.data.type == 'user';
}
// Read permissions
allow read: if isAccountOwner() || isAcceptedFriend() || isAcceptedGroupMember() || isPublicGroup() || isPublicUser();
// Write permissions
allow write: if isAccountOwner();
}
// RelatedAccounts Collection
match /accounts/{accountId}/relatedAccounts/{relatedAccountId} {
allow create, read, update, delete: if request.auth.uid == accountId || request.auth.uid == relatedAccountId;
}
// Feedback Collection
match /feedback/{accountId} {
// Account ownership verification for feedback
function isAccountOwner() {
return request.auth.uid == accountId;
}
// Feedback permissions
allow create: if isAccountOwner();
allow read, update: if request.auth.uid != null; // Authenticated users can read and update feedback
allow delete: if isAccountOwner(); // Only the owner can delete their feedback
}
}
}
- Accounts Collection: Centralized rules for user and group accounts, supporting nuanced access based on relationships and privacy settings.
- RelatedAccounts Subcollection: Customized rules for managing relationships, providing tailored access for creating, reading, updating, and deleting relationship entries.
- Feedback Collection: Adjusted to accommodate account-based feedback, ensuring that only account owners can create and delete their feedback, while authenticated users can read and update.
- Utilize the Firebase Console's "Rules Playground" for testing and validation.
- Continually revisit and refine these rules to adapt to new application features or data structures.
- Implement additional granular rules for specific fields or documents as necessary.
- Regular security audits are essential for identifying and mitigating potential vulnerabilities.
- Stay informed about Firebase's security best practices and incorporate them into your development process.
- Educate your team about the importance of these security rules and encourage adherence to best practices.
Maintaining stringent security rules is crucial for protecting user data and ensuring that our Firestore Database operates within the desired access control parameters. As our application grows, these rules will be instrumental in safeguarding our data and providing a secure environment for our users.