CODEWITHSUNDEEP
google-cloud-firestorefirebase-security
Noah-1
Noah-1

Reputation: 396

Firestore Security Rules for this scenario

I am new to the Firestore security rules and I wanted to make sure that the rules I wrote are secure for my case.

My database structure is like the following:

users / userId / employees / employeeId / files / fileId

The reason I don't denormalize it and create a separate collection for users, employees and files is because this application does not require any sort of cross collection query, there is no place in the application where all employees or their files need to be listed. Which brings me to the rules.

Only the owner of the employee or file collections should be able to access it. Everything inside employees or files can be changed. For the users collection, only creation should be allowed since new users should be able to be created when signing in but no user should be able to edit or delete any other existing user. Apart from all of the above, there isn't anything else, there are no roles for this app.

My rules are the following:

  service cloud.firestore {

  match /databases/{database}/documents {

    //can read and create if matching userId 
    //CREATE: NO USER CAN DELETE ACCOUNTS
    match /users/{userId} {
      allow read, create: if request.auth.uid == userId;

      //can read and write if matching userId 
      match /employees/{employeeId} {
        allow read, write, update: if request.auth.uid == userId;

            //can read and write if matching userId 
            match /files/{fileId} {
              allow read, write: if request.auth.uid == userId; 
            }

        }

    }

  }

}

My question would be if my rules are secure? This seems awfully simplistic and I am just not sure if it is enough for my case.

Thanks in advance!

Upvotes: 1

Views: 37

Answers (1)

Doug Stevenson
Doug Stevenson

Reputation: 317322

Your rules look fine to me.

But instead of taking my word for it, I strongly suggest using the Firestore local rules emulator and write some tests against your rules in order to verify that very specific queries (that you define) will be allowed or denied. Run these tests against your rules every time your rules have to change, for whatever reason, so you have confidence that the rules are still going to work as expected. I guarantee you this procedure will yield better and faster results than posting to Stack Overflow every time you're wondering if a set of rules will do what you expect. :-)

Upvotes: 1

Related Questions