Security Rules
Define declarative access control for your collections.
Overview
Security rules are JSON-based policies that control read/write access to your data.
{
"users": {
"read": "auth != null",
"write": "auth.uid == resource.created_by"
},
"posts": {
"read": true,
"create": "auth != null",
"update": "auth.uid == resource.author_id",
"delete": "auth.role == 'admin'"
}
}Rule Variables
| Variable | Description |
|---|---|
auth | Current authenticated user (null if not logged in) |
auth.uid | User's ID |
auth.role | User's role |
resource | The document being accessed |
data | The incoming data (for writes) |
Examples
// Public read, authenticated write
{ "read": true, "write": "auth != null" }
// Owner only
{ "read": "auth.uid == resource.user_id", "write": "auth.uid == resource.user_id" }
// Admin only
{ "read": "auth.role == 'admin'", "write": "auth.role == 'admin'" }