Do firestore security rules provide access to documents by default?

0
votes

I am trying to write security rules for my Firestore-based app and I am confused as to whether access to documents/collections in Firestore is the default (meaning that I need to write rules to specifically forbid access to any documents in the cases where I should limit access) or if access to documents is not the default (meaning that I need to write rules to specifically allow access in the cases where I want to enable access)?

From the firestore documentation I read this:

Every database request from a Cloud Firestore mobile/web client library is evaluated against your security rules before reading or writing any data. If the rules deny access to any of the specified document paths, the entire request fails.

From this, it seems that all documents are accessible by default but I am not certain and wanted to ask.

Any clarification would be greatly appreciated! ????

2
firebasegoogle-cloud-firestorefirebase-security
AFAIK the collections and documents are not accessible by default. While you opt to use firestore as database in project, it lets you select 2 modes of security rules i.e Start in locked mode, Make your database private by denying all reads and writes and another Start in test mode, Get set up quickly by allowing all reads and writes to your database. By selecting any one of these mode, you'll end up setting security rules.Mohammed Farhan

2 Answers

7
votes

Access is denied if not explicitly granted by any rule. That means that collections that are not matched by any explicitly declared path or wild-card pattern will not be accessible.

The first match statement is the mandatory /databases/{database}/ pattern and syntactically you must declare at least 1 allow statement within the match clause. So by default, a locked database will look like this

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

Because omitting the if false would grant access to everything.

When you start declaring specific rules for collections, you will implicitly deny access to collections and path patterns that are not explicitly granted access.

The easiest way to confirm that is to test it with the built in rules simulator in Firebase console.

enter image description here

0
votes

You can test this for yourself pretty easily in the console simulator. Adjust the rules so that only a certain collection is protected in some way, then try to simulate any access anywhere else at all. All reads and writes will be rejected.

You have to allow access to a document at some point in order for a mobile client to access it. Once you do that, you can not reject access to that document on any other condition for any other rule for the same access.

So the general rule is: a user can't access anything by default, but once they have any rule that allows access, it can not be rejected again by some other rule.