Skip to main content

Understand Security Rules

Security Rules Language

Security rules are based on a flexible and powerful custom language that can support various levels of complexity and granularity. We can set specific or general rules according to the specific needs of our application. The security rules language uses a JSON structure, where key represents the operation type, and value is the condition for allowing the operation, which can be a boolean or an expression string. The syntax of the expression string is similar to the Javascript language; it is a single logical expression or multiple logical expressions combined with AND/OR operators. When the expression is evaluated, it determines whether the operation is allowed.

Since security rules are a new custom language, there is a learning curve. Please read this guide to better understand this rule language as you delve into more complex rules.

Basic Structure

Security rules are based on a JSON structure, where value is a boolean or a JavaScript-like expression:

{
"read": true,
"write": <<condition>>,
"create": true,
"update": false,
"delete": <<condition>>
}

It contains several key concepts.

  • Operation Type: The JSON key represents the operation type for permission control. create, delete, read, and update correspond to the create, delete, read, and update operations on a collection. write is a shorthand for configuring write permissions (create, delete, update) to a collection. If create, delete, or update operations are not configured, the write configuration will be applied.
  • Rule: The JSON value is the rule condition, which can be a boolean value or a logical expression (or a group of expressions). When the condition evaluates to true, it indicates that the operation is allowed.

By default, when encountering an undefined operation type, access to that operation is denied.

Constructing conditions

Conditions can be boolean values or expression strings. The syntax of expression strings is similar to the Javascript language; they consist of either a single logical expression or multiple logical expressions combined using AND/OR operators. The evaluation result of the expression determines whether the operation is permitted.

Predefined Variables

VariableTypeDescription
nownumberThe current time, expressed in milliseconds since the Linux epoch.
authAuthAfter a user logs in, provides uid (the user's unique ID) and loginType (login type). If the user is not logged in, it is null.
docObjectRepresents the current record object when requesting data. Referencing doc in a condition will result in at most one read of this value from the service. This query will count against all service-related quotas for the resource.
requestRequestRepresents the request object, which can be used to access request-related values.
Auth
Field NameTypeDescription
loginTypestringLogin method
uidstringThe user's unique id. This value is not present in requests from WeChat Mini Programs.
openidstringThe user's openid, which only has a value when using WeChat login
LoginType Enum
Enum ValueLogin Method Description
WECHAT_PUBLICWeChat Official Account
WECHAT_OPENWeChat Open Platform
ANONYMOUSAnonymous login
EMAILEmail Login
CUSTOMCustom Login
Request
Field NameTypeDescription
dataobjectRequest data, present when the operation type is create or update, indicating that the request passes in a data object

Variables can be used in rule expressions. Through doc and request.data, you can obtain the current value of the data and the value passed in the request. For example, in an order collection, to protect the order amount from being tampered with, the following rule can be used:

{
// ... //
"update": "doc.price == request.data.price || request.data.price == undefined"
// ... //
}

Built-in Methods

Currently only supports the get function. The only parameter must be database.collection.documentID. It accesses data from other documents to determine whether the user operation complies with security rules.

Operators

OperatorDescriptionExampleDescription
==Equal toauth.uid == 'zzz'The user's uid is zzz
!=Not equal toauth.uid != 'zzz'The user's uid is not zzz
>Greater thana&gt;10The value of a is greater than 10
>=Greater than or equal toa&gt;=10The value of a is greater than or equal to 10
<Less thana&lt;10The value of a is less than 10
<=Less than or equal toa<=10The value of a is less than or equal to 10
inIn the setauth.uid in ['zzz','aaa']The user's uid is one of ['zzz','aaa']
!(xx in [])Not in the set, using the in syntax as in !(a in [1,2,3])!(auth.uid in ['zzz','aaa'])The user's uid is not any of ['zzz','aaa']
&&Andauth.uid == 'zzz' && a&gt;10The user's uid is zzz and the value of a is greater than 10
||Orauth.uid == 'zzz' \|\| a>10The user's uid is zzz or the value of a is greater than 10
.Object property accessorauth.uidThe user's uid
[]Bracket notation property accessa[auth.uid] == 'zzz'The value of the property in object a with the key being the user's uid is 'zzz'