Google Firestore - Meta user data and normal user data

Question

I am trying to wrap my head around the security rules of Firestore. Here's my use case.

In my app, an User can create content which only he/she can read/write. I also have a another collection which can be read/written, only by the application, not by any user.

{
    // should be read/write by individual users
    "users" : {
        foo : {
            bar: 'zoo'
        }
    },

    // Should be read/write, only by application
    "bookkeeping" : {
        paidUsers: {
            ...
        }
    }
}

Can this be done using Firestore security rules?

when you say "only by the application", where does this code run? — Frank van Puffelen, Dec 28 '17 at 05:28
In browser. I am not planning to have any server side code. Or, should I have one? — Veera, Dec 28 '17 at 17:04
A user can write code that does the same as the code you wrote. If they do, there is no reason to reject the actions based on their code alone. Instead of focusing on "just my code", I recommend that you focus on the rules that your data must follow or on the user of the code and whether they are authorized to access the data. Also see Kato's answer here: https://stackoverflow.com/questions/18005984/how-to-prevent-other-access-to-my-firebase — Frank van Puffelen, Dec 29 '17 at 01:28

Google Firestore - Meta user data and normal user data

0 Answers0