Cloud Firestore and Cloud Storage Security Rules

Unlike Realtime Database Security Rules which are formatted using the JSON syntax, Cloud Firestore and Cloud Storage Security Rules take a different format. They begin with a service declaration that defines the scope of the Security Rules by identifying the Firebase product to which they apply. It then contains the match declaration using one or more match blocks. These are used to specify the path to the document or file in the database or the storage bucket. The match blocks contain allow statements that determine the conditions to access the document or file in the path.

Cloud Firestore Security Rules

Cloud Firestore Security Rules use a syntax based on the Common Expression Language (CEL)The Common Expression Language (CEL) is a non-Turing complete language designed for simplicity, speed, safety, and portability. Its syntax looks nearly identical to expressions in C++, Java, and TypeScript. together with the match and allow statements that determine the access condition of the database.

The steps for writing Cloud Firestore Security Rules are outlined below:

• To begin writing Cloud Firestore Rules, we must first indicate a syntax version using the rules_version statement. This is important because the Security Rules will be evaluated as v1 if none is provided. For this course, we’ll focus on v2.
• Next is the service cloud.firestore declaration that defines the scope of these rules, which in this case is Cloud Firestore.
• Now, we must define the match patterns to identify the path. From the Security Rules perspective, all documents in Cloud Firestore fall into the /databases/{database}/documents path. This path can be thought of as the root of the database. Therefore, it’s always the path defined in the first match block. Then, the next match block must contain the actual path to the document. While specifying paths, we can also declare possible wildcards in the paths using the curly braces, { }. These will match all documents existing on the defined path.
• The match blocks contain allow expressions that determine the conditions to grant access to the defined path. These expressions require methods, like read or write, to describe the nature of the database access: