CODEWITHSUNDEEP
firebasegoogle-cloud-firestorefirebase-security
wings
wings

Reputation: 591

Can I add security rules for top-level collections in Firestore?

How do I lock down access to top-level collections? I want to prevent people listing or deleting top-level collections.

Would this ruleset prevent listing and deleting top-level collections, but allow complete access to documents?

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    allow get;
    allow list: if false;
    allow create;
    allow update;
    allow delete: if false;

    match /{document=**} {
      allow get;
      allow list;
      allow create;
      allow update;
      allow delete;
    }
  }
}

It seems like it might not actually do anything to collections.

Does anyone know how to affect top-level collections in Firestore rules?

Upvotes: 0

Views: 153

Answers (1)

Doug Stevenson
Doug Stevenson

Reputation: 317392

Since there are no web, mobile, or REST APIs to list, delete, or otherwise operation on collections individually, you don't have to worry about that happening. Security rules only apply to the operations you can perform with web, mobile, or REST clients (when authenticated with a Firebase user).

On top of that, collections are not even really entities in Firestore. They are more like units of organization that provide indexing for contained documents. All operations effectively target documents within collections. That's why security rules makes you choose documents with match blocks.

Another thing to note - when writing security rules, you should be thinking about them in terms of specific queries that you want to allow. If you're imagining a situation that doesn't have specific client code to match, then you're not thinking in terms of what security rules are intended do.

Upvotes: 1

Related Questions