/firebase-tutorials

How to set Firestore rules to restrict access?

Learn to configure Firestore rules that restrict access via authentication checks, collection paths, and time-based conditions with our step-by-step guide.

Book a free  consultation
Matt Graham, CEO of Rapid Developers

Book a call with an Expert

Starting a new venture? Need to upgrade your web app? RapidDev builds application with your growth in mind.

Book a free No-Code consultation

How to set Firestore rules to restrict access?

 

Step 1: Access the Firebase Console

 

First, go to the Firebase Console. If you haven't already, sign in with your Google account. Once logged in, select the project you want to set rules for, or create a new project if you haven't done so.

 

Step 2: Navigate to Firestore Database

 

In your Firebase project dashboard, locate the left-hand navigation panel. Click on "Firestore Database" to access the Firestore settings.

 

Step 3: Go to the Rules Tab

 

After entering the Firestore Database section, you will see several tabs: "Data", "Indexes", "Rules", etc. Click on the "Rules" tab to view and edit security rules.

 

Step 4: Understanding the Firestore Security Rules Structure

 

Firestore security rules are written in a JSON-like language that lets you control database access. A basic structure looks like this:


service cloud.firestore {
  match /databases/{database}/documents {
    // Add your security rules here
  }
}

 

The match statement specifies which parts of the database the rules apply to, and inside it, you define conditions for allow read and write operations.

 

Step 5: Set Rules to Restrict Access

 

To restrict access to authenticated users only, use the request.auth variable to check if a user is authenticated.


service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=\*\*} {
      allow read, write: if request.auth != null;
    }
  }
}

In this rule, access to read and write data is only allowed if the request.auth variable is not null, meaning the user is authenticated.

 

Step 6: Define Specific Rules for Collections

 

You can restrict access to specific collections by modifying the path in the match statement. For example, to restrict access to a "users" collection:


service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, write: if request.auth != null && request.auth.uid == userId;
    }
  }
}

This rule allows read and write access only if the user is authenticated and their UID matches the userId field in the document path.

 

Step 7: Add Timestamp-Based Conditions

 

You can also use time-based conditions in your rules. For example, to restrict writing to a collection only during business hours:


service cloud.firestore {
  match /databases/{database}/documents {
    match /businessData/{document=\*\*} {
      allow write: if request.auth != null &&
                   request.time.day_of_week() >= 1 &&
                   request.time.day_of_week() <= 5 &&
                   request.time.hour() >= 9 &&
                   request.time.hour() < 17;
    }
    allow read: if request.auth != null;
  }
}

This rule restricts writes to weekdays between 9 AM and 5 PM.

 

Step 8: Test the Rules

 

Firebase provides a simulator to test your rules. Use it to ensure your rules work as expected. The simulator allows you to specify the request and see if it would be allowed or denied based on your current rules.

 

Step 9: Publish the Rules

 

Once you are satisfied with your security rules, click the "Publish" button to apply them. Now, your Firestore database will enforce these rules to control access to your data.

 

Want to explore opportunities to work with us?

Connect with our team to unlock the full potential of no-code solutions with a no-commitment consultation!

Book a Free Consultation

Client trust and success are our top priorities

When it comes to serving you, we sweat the little things. That’s why our work makes a big impact.

Rapid Dev was an exceptional project management organization and the best development collaborators I've had the pleasure of working with. They do complex work on extremely fast timelines and effectively manage the testing and pre-launch process to deliver the best possible product. I'm extremely impressed with their execution ability.

CPO, Praction - Arkady Sokolov

May 2, 2023

Working with Matt was comparable to having another co-founder on the team, but without the commitment or cost. He has a strategic mindset and willing to change the scope of the project in real time based on the needs of the client. A true strategic thought partner!

Co-Founder, Arc - Donald Muir

Dec 27, 2022

Rapid Dev are 10/10, excellent communicators - the best I've ever encountered in the tech dev space. They always go the extra mile, they genuinely care, they respond quickly, they're flexible, adaptable and their enthusiasm is amazing.

Co-CEO, Grantify - Mat Westergreen-Thorne

Oct 15, 2022

Rapid Dev is an excellent developer for no-code and low-code solutions.
We’ve had great success since launching the platform in November 2023. In a few months, we’ve gained over 1,000 new active users. We’ve also secured several dozen bookings on the platform and seen about 70% new user month-over-month growth since the launch.

Co-Founder, Church Real Estate Marketplace - Emmanuel Brown

May 1, 2024 

Matt’s dedication to executing our vision and his commitment to the project deadline were impressive. 
This was such a specific project, and Matt really delivered. We worked with a really fast turnaround, and he always delivered. The site was a perfect prop for us!

Production Manager, Media Production Company - Samantha Fekete

Sep 23, 2022