FlutterFlow Docs
Search…
⌃K

Firestore Rules

Firestore security rules help to keep your Firebase data secure from malicious users. They also control who can access what data in your application.
For example, you can use Firestore rules to only allow users to create an appointment if they are authenticated (e.g., Email, Google Sign-in, etc.).
If you are brand new to Firestore rules, check out this overview about Getting Started With Firestore Rules.

Creating Firestore Rules

There are two ways you can set the Firestore Rules:

1. Using FlutterFlow Firestore Settings

To set up basic Firestore Rules, you can use the Firestore Setting available right inside FlutterFlow.

Overview of Firestore Rules inside of FlutterFlow

You can control the following operations that can be performed on a document:
  • Create: Allow users to create a new document inside the collection.
  • Read: Allow users to read documents inside the collection.
  • Write: Allow users to update a document of a collection.
  • Delete: Allow users to delete a document of a collection.
Default rules
FlutterFlow offers the following four levels of access that you can set to define which user can access the data:
  • Everyone: Allow all users (authenticated/unauthenticated) to create/read/write/delete a document.
  • Authenticated Users: Allow only authenticated users (e.g., Email, Google Sign-in, etc.) to create/read/write/delete a document. This means any user who is logged in to the app.
  • Tagged Users: Allow users to read/update/delete a document if they are tagged in that document. For example, say there is a "posts" collection with a "created_by" field representing the user who created the post. Then the "Tagged User" rule can be set on the "created_by" field to only allow accessing (read/update/delete) the post if the logged-in user is the one who created it.
Tagged Users: Only [email protected] can delete the post
  • Users Collection: Allow users whose authentication id is same as the id of a document. This option is only applicable to a 'users' collection.
  • No One: Allow no one to create/read/write/delete a document.
For Tagged Users, the document must contain a Field that can either be a reference to the user or a string with the user id.

Default rules applied to new collections

When you create a new collection inside the Firestore Content Manager, below are the default rules applied to the collection:
  • Create -> Everyone: All users can create a document.
  • Read -> Everyone: All users can read documents.
  • Write -> No One: No one can update a document.
  • Delete -> No One: No one can delete a document.
Default rule
The default rule is suitable while you are getting started, but before the app goes live, please think about limiting access to any collections that potentially include the user's private information. To help you with that, we mark it as 'Has Private Data'. This will show you a warning to update the rule and restrict access.
For example, a newly created 'notes' collection allows everyone to read all notes by default. In reality, only the user who created it should be able to read it. But because we have marked it as 'Has Private Data' it will show a warning like the one below, and you can modify the rules that allow only a user to read notes who created it.
Firestore warning
If you want more control over a specific collection, you can remove the FlutterFlow-generated rule by checking the Exclude option. And then, you can set up advanced or custom security rules using the Firestore Database console.
To bring the rules into effect, you must deploy them. Click the Deploy button from here, and you will see the deployed rules at Firebase Console > Firebase Database > Rules.

Example of how you can use Firestore Rules

Let's take an example to set up the rules on a todos collection for the following requirements:
  • Only authenticated users should be able to create a Todo item.
  • All users (authenticated/unauthenticated) can see all the Todo items.
  • Only a user who created the Todo item can update it.
  • No one can delete a Todo item.
To set up the Firestore Rules for the above requirements:
  1. 1.
    Click on the Firestore (
    ) from the Navigation Menu (left side of your screen).
  2. 2.
    Switch to the Settings (
    ) tab and scroll down to the Firestore Rules section.
  3. 3.
    Inside the table, find the collection.
    1. 1.
      Set the Create to Authenticated Users.
    2. 2.
      Set the Read to Everyone.
    3. 3.
      Set the Write to Tagged Users. This will open a popup named Tag Users.
      1. 1.
        Inside the dropdown, click on Unset and select the Field that contains either user reference or user id.
      2. 2.
        Click Save Changes.
    4. 4.
      Set the Delete to No One.
  4. 4.
    Now you can deploy the rules.
  • The rules set in the above examples are for simplification purposes. You should carefully understand your requirements and set the Firestore rules accordingly.
Setup Firestore rules in FlutterFlow

2. Using Firestore Database Console

To set up more advanced or custom rules, you can use the Firebase Cloud Firestore Console.
Let's take an example to set up the rules on a todos collection for the following requirements:
  • To create a Todo item, a user must be authenticated and verified via email or phone, and it must be a valid Todo item.
  • All users (authenticated/unauthenticated) can see all the Todo items.
  • Only a user who created the Todo item can update it with valid Todo details.
  • Only a user who created the Todo item can delete it.
To set up the Firestore Rules for the above requirements:
  1. 1.
    Open the Firebase console of your project, and click on the Firestore Database in the left side menu.
  2. 2.
    Select the Rules tab.
  3. 3.
    Paste the following code and click on Publish.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// 1.
function isSignedIn() {
return request.auth != null;
}
// 2.
function verified() {
return request.auth.token.email_verified || request.auth.token.phone_number;
}
// 3.
function isValidItem() {
return request.resource.data.name.size() > 0 ;
}
match /todos/{document} {
// 4.
allow create: if isSignedIn() && verified() && isValidItem();
// 5.
allow read: if true;
// 6.
allow write: if isValidItem() && resource.data.created_by == /databases/$(database)/documents/users/$(request.auth.uid);
// 7.
allow delete: if resource.data.created_by == /databases/$(database)/documents/users/$(request.auth.uid);
}
match /users/{document} {
allow create: if request.auth.uid == document;
allow read: if true;
allow write: if request.auth.uid == document;
allow delete: if false;
}
match /{document=**} {
allow read, write: if
request.time < timestamp.date(2022, 3, 4);
}
}
}
Here’s a quick rundown of what’s going on in the code above:
  1. 1.
    isSignedIn(): Function that checks whether a user is authenticated.
  2. 2.
    verified(): Function that checks whether the user is verified via email or phone.
  3. 3.
    isValidItem(): Function that checks whether the Todo item is not empty.
  4. 4.
    create: Allow to create a Todo item only if a user is authenticated, verified, and created a valid Todo item.
  5. 5.
    read: Allow all users to see all Todo items.
  6. 6.
    write: Allow to update a Todo item with valid details to a user who created it.
  7. 7.
    delete: Allow to delete a Todo item to a user who created it.
Setup Firestore rules in Firestore Database Console

Deploy

To deploy the Firestore Rules:
  1. 1.
    Click on the Firestore (
    ) from the Navigation Menu (left side of your screen).
  2. 2.
    Switch to the Settings tab and scroll down to the Firestore Rules section.
  3. 3.
    Click the Deploy button.
  4. 4.
    Before you finally deploy the new rules, a popup asks you to review your changes. Here you can check the difference between the before and after versions of the Firestone Rules.
  5. 5.
    Click Deploy Now.
You must deploy rules every time you make a change.

Reverting to previous rules

You can go back to the previous rule state with Firebase Cloud Firestore Console:
  1. 1.
    Open the Firebase console of your project, and click on the Firestore Database in the left side menu.
  2. 2.
    Select the Rules tab.
  3. 3.
    Select and copy the previous rule from the left-side menu.
  4. 4.
    Select the current rule from the left side menu and paste the previous rule.
  5. 5.
    Click on Publish.

Learn more