FlutterFlow Docs
Search…
Actions
Firestore Rules
Firestore security rules help to keep your Firebase data secure from malicious users. They also control who can access what data in your application.
For example, you can use Firestore rules to only allow a user to create an appointment if they are authenticated (e.g Email, Google Sign-in, etc).
If you are brand new to Firestore rules, you may want to check out this overview about Getting Started With Firestore Rules.
Firestore Rules

Creating Firestore Rules

There are two ways you can set the Firestore Rules:

1. Using FlutterFlow Firestore Settings

To set up basic Firestore Rules, you can use the Firestore Setting available right inside of FlutterFlow.

Overview of Firestore Rules inside of FlutterFlow

You can control the following operations that can be performed on a document of a collection:
  • Create: which users can create a new document inside the collection.
  • Read: which users can read documents inside the collection.
  • Write: which users can update a document of a collection.
  • Delete: which users can delete a document of a collection.
FlutterFlow offers the following four levels of access that you can set to define which user can access the data:
  • Everyone: Allow all users (authenticated/unauthenticated) to create/read/write/delete a document.
  • Authenticated Users: Allow only authenticated users (e.g Email, Google Sign-in, etc) to create/read/write/delete a document. This means any user who is logged in to the app.
  • Tagged Users: Allow users to read/update/delete a document if they are tagged in that document. For example, say there is a "posts" collection with a "created_by" field in it which represents the user who created the post. Then the "Tagged User" rule can be set on the "created_by" field to only allow updating the post if the logged-in user is the one who created it.
  • Users Collection: Allow users whose authentication id is the same as the id of a document. This option is only applicable to a users collection.
  • No One: Allow no one to create/read/write/delete a document.
For Tagged Users, the document must contain a Field that can either be a reference to the user or a string with the user id.

Default rules applied to new collections

When you create a new collection inside the Firestore Content Manager, default rules can be applied to the collection.
You won't see the rules until you hit the Deploy button.
Here are the default rules applied to any new collection:
  • Create -> Everyone: All users can create a document.
  • Read -> Everyone: All users can read documents.
  • Write -> No One: No one can update a document.
  • Delete -> No One: No one can delete a document.

Example of how you can use Firestore Rules

Let's take an example to set up the rules on a todos collection for the following requirements:
  1. 1.
    Only authenticated users should be able to create a Todo item.
  2. 2.
    All users (authenticated/unauthenticated) can see all the Todo items.
  3. 3.
    Only a user who created the Todo item can update it.
  4. 4.
    No one can delete a Todo item.
To set up the Firestore Rules for the above requirements:
  • Click on the Firestore (
    ) from the Navigation Menu (left side of your screen).
  • Switch to the Settings tab and scroll down to the Firestore Rules section.
  • Inside the table, find the collection.
    • Set the Create to Authenticated Users.
    • Set the Read to Everyone.
    • Set the Write to Tagged Users. This will open a popup named Tag Users.
      • Inside the dropdown, click on the Unset and select the Field that contains either user reference or user id.
      • Click Save Changes.
    • Set the Delete to No One.
The rules set in the above examples are for simplification purposes. You should carefully understand your requirements and set the Firestore rules accordingly.

2. Using Firebase Cloud Firestore Console

To set up more advanced or custom rules, you can use the Firebase Cloud Firestore Console.
Let's take an example to set up the rules on a todos collection for the following requirements:
  1. 1.
    To create a Todo item, a user must be authenticated and verified via email or phone and it must be a valid Todo item.
  2. 2.
    All users (authenticated/unauthenticated) can see all the Todo items.
  3. 3.
    Only a user who created the Todo item can update with valid Todo details.
  4. 4.
    Only a user who created the Todo item can delete it.
To set up the Firestore Rules for the above requirements:
  • Open the Firebase console of your project, and click on the Firestore Database in the left side menu.
  • Select the Rules tab.
  • Paste the following code and click on Publish.
1
rules_version = '2';
2
​
3
service cloud.firestore {
4
match /databases/{database}/documents {
5
6
// 1.
7
function isSignedIn() {
8
return request.auth != null;
9
}
10
11
// 2.
12
function verified() {
13
return request.auth.token.email_verified || request.auth.token.phone_number;
14
}
15
16
// 3.
17
function isValidItem() {
18
return request.resource.data.name.size() > 0 ;
19
}
20
21
match /todos/{document} {
22
// 4.
23
allow create: if isSignedIn() && verified() && isValidItem();
24
// 5.
25
allow read: if true;
26
// 6.
27
allow write: if isValidItem() && resource.data.created_by == /databases/$(database)/documents/users/$(request.auth.uid);
28
// 7.
29
allow delete: if resource.data.created_by == /databases/$(database)/documents/users/$(request.auth.uid);
30
}
31
​
32
match /users/{document} {
33
allow create: if request.auth.uid == document;
34
allow read: if true;
35
allow write: if request.auth.uid == document;
36
allow delete: if false;
37
}
38
​
39
match /{document=**} {
40
allow read, write: if
41
request.time < timestamp.date(2022, 3, 4);
42
}
43
}
44
}
Copied!
Here’s a quick rundown of what’s going on in the code above:
  1. 1.
    isSignedIn(): Function that checks whether user is authenticated.
  2. 2.
    verified(): Function that checks whether the user is verified either via email or phone.
  3. 3.
    isValidItem(): Function that checks whether the Todo item is not empty.
  4. 4.
    create: Allow to create a Todo item only if a user is authenticated, verified, and created a valid Todo item.
  5. 5.
    read: Allow all users to see all Todo items.
  6. 6.
    write: Allow to update a Todo item with valid details to a user who created it.
  7. 7.
    delete: Allow to delete a Todo item to a user who created it.

Deploy

To deploy the Firestore Rules:
  • Click on the Firestore (
    ) from the Navigation Menu (left side of your screen).
  • Switch to the Settings tab and scroll down to the Firestore Rules section.
  • Click the Deploy button.
  • Before you finally deploy the new rules, a popup opens up and asks you to review the changes you made. Here you can check the difference, before and after version of the Firesture Rules.
  • Click Deploy Now.

Reverting to previous rules

You can go back to the previous rule state with Firebase Cloud Firestore Console:
  • Open the Firebase console of your project, and click on the Firestore Database in the left side menu.
  • Select the Rules tab.
  • Select and copy the previous rule from the left side menu.
  • Select the current rule from the left side menu and paste the previous rule.
  • Click on Publish.

Learn more

Learn more about creating custom Firestore Rules here.