Setting Rules in Firebase

Firebase rules are security rules that protect your Firebase database, both Firestore and the Real-Time Database. They play a critical role in ensuring your database integrity, security, and ensuring that only authorized reads and writes occur.

Firebase rules use expressions that either return true or false. If the expression evaluates to true, the operation is allowed to proceed, but if the rule evaluates to false, the operation will be denied.

A common mistake many developers make is to overlook setting up Firebase rules, leaving their databases open to unauthorized access. As a default setup, Firebase allows read and write operations for the first 30 days. After that, unless explicitly defined, no read or write operations will be allowed.

Consider a typical Firestore database scenario where users can add, edit and delete movie titles, movie reviews, and characters. The database schema would look something like this:

• Movies (Collection)
  • Movie_Id (Document)
    • Name
    • Release date
    • Description
    • Reviews (Sub-collection)
      • Review_Id (Document)
        • User
        • Text
    • Characters (Sub-collection)
      • Character_Id (Document)
        • Name

Now, let's dive in and explore various Firebase rules for different use cases using our movie database scenario.

1. Public Access:

The following rules state that anyone can read or write to your Firestore database. This is the set-up when you first create your Firestore database. These rules should not be used in any production application due to severe security vulnerabilities as they allow unrestricted access.

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write;
    }
  }
}

2. No Access:

If no access is allowed to your Firestore database, use these rules which explicitly deny both read and write access.

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

3. User-Based Access:

In most applications, you want users to sign in and read or write to specific data stored in Firestore. These rules ensure that only authenticated users can perform read and write actions and are more secure as they require user authentication.

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth.uid != null;
    }
  }
}

4. Document-Based Access:

You can create rules at a collection or document level. In our movie application scenario, if we want to restrict writing movie reviews only to authenticated users, the rule would look like this:

service cloud.firestore {
  match /databases/{database}/documents {
    match /movies/{movieId}/reviews/{review} {
      allow write: if request.auth.uid != null;
      allow read;
    }
  }
}

5. Field-Based Access:

At times, you may want to enforce more granular access controls at field level. For instance, you may want to restrict access to "release date" field in any movie document for only authenticated users.

service cloud.firestore {
  match /databases/{database}/documents {
    match /movies/{movieId} {
      allow read: if request.auth.uid != null;
      allow write: if request.auth.uid != null && ("release date" in request.resource.data);
    }
  }
}

6. Attribute-Based Access:

This rule scenario is based on user attributes. For instance, if in our movie application only "admin" users can add new characters to a movie, we can introduce an attribute within the user object and check for this in our rules like this:

service cloud.firestore {
  match /databases/{database}/documents {
    match /movies/{movieId}/characters/{character} {
      allow write: if request.auth.token.admin == true;
      allow read;
    }
  }
}

In this rule, request.auth.token.admin refers to the “admin” attribute in the Firebase Authentication token.

In summary, Firebase security rules allow you to make granular adjustments to your security settings, enabling you to set the perfect mix of accessibility and security. Always make sure to validate your rules using Firebase's simulator tool before deploying them to avoid any unintended consequences.

Firebase security rules are essential for the protection and integrity of your Firestore data. Ensure every database operation you carry out is carefully evaluated and passed through these rules. Flexibility, fine-tuning and security are the key elements they provide - and these should be utilized to the fullest. Good luck with setting your Firebase rules wizardry!