Take an extremely technical engineer with extremely good communication skills and extreme work ethic to put together such an extensive series and you get this guy
02:57 Rules in the Firebase Console 04:11 Rules do not cascade (unlike RTDB) 05:37 Wildcard variables 07:53 Rules will be mostly based on 3 pieces of data: data request, target documents, some other data 10:21 CRUD: create rules 12:06 CRUD: update rules 14:04 CRUD: read rules 16:49 Limit restaurant updates to editors and owners 18:18 Adding SuperAdmin and Moderators 19:25 Custom Functions 20:15 Check if Resource is valid using a function and refactoring rules Full playlist: ua-cam.com/play/PLl-K7zZEsYLluG5MCVEzXAQ7ACZBCuZgZ.html
Wow, easily the best video education series I've ever watched. Production quality through the roof and presenter is clearly knowledgable and able to communicate in a fun and direct way. Thank You!
Love this. Fast, efficient, clear, and engaging. This is exactly what I want to see in a technical video. No filler, no wasted time, not vague or confusing. Thank you!
The whole series is great! I'm glad you aren't afraid of lengthy videos. The short videos on the channel are good too, but intermediate or more experienced developers want more details. Please keep this up! Also, I feel I laughed more than I should at the "moist" joke :)
Thank you for using a realistic use case like the restaurant app, with some decently complex data, instead of just a "to do app" like every other tutorial out there hah
I dunno what kinda docs you're taking about, but when I spent hours each night struggling to figure out these rules (which I eventually figured out), you answers all my questions in a single 20 min video.
Security Rules, like the noun, but also Security Rules! like the verb... All I know is Database Robin Williams Rules! Seriously thank you for making learning a new language much less intimidating
So nice with a high-quality tutorial series where the presenter is SO good that he doesn't need to beg the viewer to subscribe; we'll do it anyway! And share! Can't wait for the next instalment.
How do you handle when people put random irrelevant data in a document? Is there a way to whitelist which fields are allowed on a document? This could be a security problem if they predict a field that we would add later.
Is Cloud Firestore a good selection for a bank account? Can it be safe and reliable to save people's money which is a number to the Cloud Firestore? My concern is reliability and security. Any suggestions?
Love your entire series. Would love to see a video on perhaps the best ways to combine all the services together. For example in my current app, we are using realtime database, firestore, firebase authentication, storage and now cloud messaging. With so many products one could see how confusing the entire product ecosystem is...
Commonly a large company would have front AND backend devs working on a project. (assuming a 'traditional' server backend is involved). But with Firestore, is this still the case?... for example, with Firebase (and cloud functions, security rules, etc.) typically would this mostly still be done by a backend developer? Or with Firebase is the intent for the front end devs to do this themselves (and thus essentially be full stack)?
While running the Firestore Rules simulator, request.token seems to be null. And if at all we provide it using Custom Auth Provider, we need to provide "super_admin" it at the "token" level, which is not the case with actual real world situation, as the custom claim is in "customClaims" property of "token" property. TL;DR: With simulation -> "token":{ "super_admin":true } With real case -> "token":{ "customClaims":{ "super_admin":true } }
What if technically someone retrieved information from my app and created his own with the same credentials? He can send to my database the same requests as I do, e.g. send message. I am really confused by it because my project information is public on my website.
Great video, great episode: this answered a lot of questions I had regarding security for which I am grateful! I still have one concern regarding security due to the schemaless nature of the database. How can I prevent malicious users from spamming my database by writing data to 'fields' I haven't defined? Because from what I understand, anybody with 'write' access to a certain documents can make a function that writes random key:value pairs to the database and run it from a console. Is is possible to write a function that prevents all keys that aren't defined by me 'the programmer' to be written to the database?
Love the video! Thanks a lot for clear instructions. They have helped me a lot to improve my app!! It's nice to watch which gives an honest approach to the content.
Is it true that using sub-collections basically is a kind of extra security? For example, you know that users can only get a sub-collection that belongs to a specific parent id, so unless they know all the parent ids and loop over that, there is no way they can just get a list of all the item in a sub-collection.
Even though it's possible to create Security Rules on each document-attribute, is it possible for a client to add new fields in the update? I can't help but thinking about having all updates/create go theough a Cloud Function first to make more fine-grained validation.
is this any better or worse than using a node.js backend? It seems like a LOT of little rules to write when node.js would make it simpler or would it not?
So happy with this video. It really goes into proper depth and will definitely help me secure everything properly! The local emulator definitely deserves another episode though (or maybe an example on git?), as the documentation is quite hard to comprehend fully.
how to allow only some specific internal ip addresses from login into my firebase auth login we app?? please provide me some tips it is turning like a nightmare.
I don't know if something has changed at the moment, but it continues to appear in the documentation that the first thing we must put is "rules_version = '2';"; the truth is that it is the first error and it does not allow publishing only by placing that in the rules
When you have a "roles" map of uid => role, how can you validate to ensure only the owner can add/remove editors, but an editor can remove themselves from the map?
Hi Guys. I implement Firestore within my Backend with Express and have all types of validations against Client side requests. Do i really still need to implement those rules ?
I really like the idea of all these videos, but because I’m a bit of a noob developer, I have a hard time picturing the use cases in real apps. What has always helped is having super basic apps using these cases and watching what happens instead of just discussing what would happen.
It says that the video will cover a case where access will be based on some other data in some other collection but then never covers this part. "Some other data located in some other part of your db"
How can we stop users adding new properties for objects? E.g. I can validate the name and dob fields, but how do I stop them adding 50 new fields on an update for example?
if I choose to store my users info using the firebase auth user profile and use the user.diplayName field to store username, and on a Firestore collection('reviews') I have reference to the username. Say when I want to update a user's username (user.displayName), I also need to go and update all duplicated data on the reviews collection. My question is can I make a batch job that consists of a auth.updateProfile and a firestore.docRef.update?
It would be great if you showed the structure inside the firebase dashboard as well... I can't get shit to work... I assume reviews are a subcollection of a first-level document the first level documents all represent a restaurant, right?... and the 'score' is a field inside the subcollections documents? I can't get nothing to show at all.. even if I just check request.resource.data.score is number.... ive tried adding score as a number and put in 3 in all places where I can make a field, I even only have 1 main document, and 1 document in the sub-collection, so a total of 2 places where I have put in 3 as a number with a key as score ... but yet I'm denied access... The only thing that works for me is to check if the user is logged in... then I can access it all, no other rules work for me...
Lets say i have school. teacher wants to create collection in document for specific students, and few documents for all students in calss . how can i model this ?? I cant assign roles at such granular control
You mentioned leaking private data because you can only get a whole document, and so separating into a "private" document with security rule is needed. (e.g. you should not store user's sensitive data in the same document as public data) However when I look at REST API it looks like getting a partial document is supported by DocumentMask. firebase.google.com/docs/firestore/reference/rest/v1beta1/projects.databases.documents/get Is it just updated?
From my understanding, if your client is following the exact code of your app, this is correct, there's nothing to worry about. But let's pretend for a moment that the client is a malicious user. If all the private fields are grouped with the public fields, you can't have separate security rules for the fields. And thus, that malicious user who is able to request data by pretending to be sent from your app would get private data - something that you wouldn't want.
it's only now hitting me that i created an entire backend for my app because i didnt understand security rules and therefore couldnt open up writes to the frontend 😥😥
hi sir, thanx for making this video. but i have some error i am facing right now. error is: Listen for Query(users/-M9hU8UJtjjJws3-_UYE) failed: Status{code=PERMISSION_DENIED, description=Missing or insufficient permissions., cause=null}. And query : future: Firestore.instance.collection("users").document(widget.profileID).get(), builder: (context, snapshot) . how to fix?
Hi brother can u help me pls. I have this security rules for an ecommerce site but why is it that the products are not showing unless I do allow access top the shallowest match path. This line below, knowing if I allow read access to this line then everyone can read all my documents even those I want to set private. match /{document=**} { allow read if false; // I have to set this to true before all products for selling by all users are displayed in the dashboards of any user. So I cannot do selective securty if I do set it to true since everything is allowed to be read. rules_version = '2'; service cloud.firestore {
match /databases/{database}/documents { match /{document=**} { allow read,create,update,delete: if false;
match /users/{uid}{ allow read; allow update:if request.auth.uid == uid;
match /users/{uid}/products { allow read; allow create: if request.auth.uid != null;
match /users/{uid}/products/{product}{ allow read; allow create: if request.auth.uid != null; allow delete,update: if request.auth.uid == uid;
How can I make a collection of users with their email & displayName searchable, so you can search for your friend via email or displayName, but disallow someone from getting all these user documents with the email addresses and displayNames inside?
Aah yes. For that you need to have a field in user's document that contains the number of documents a user does have right now. And then you can create a rule to allow or reject based on that field. And for that field, I think you need to create a cloud function that updates this field every time your user create/delete a document. Happy coding
When I try to aply rules I get this error: No se han podido guardar las reglas: Línea 1: Parse error. Like this: service cloud.firestore { match /databases/{database}/documents { match /{document=**} { allow read, write: if false; } } }
Take an extremely technical engineer with extremely good communication skills and extreme work ethic to put together such an extensive series and you get this guy
I love you Database Robin Williams!
I have thought this since episode one. Way to call it out
@@microcontrolledbot hahaha
Never able to un-see.
I had the exact same thought straight away lmao. This guy is awesome
came to find this comment.
02:57 Rules in the Firebase Console
04:11 Rules do not cascade (unlike RTDB)
05:37 Wildcard variables
07:53 Rules will be mostly based on 3 pieces of data: data request, target documents, some other data
10:21 CRUD: create rules
12:06 CRUD: update rules
14:04 CRUD: read rules
16:49 Limit restaurant updates to editors and owners
18:18 Adding SuperAdmin and Moderators
19:25 Custom Functions
20:15 Check if Resource is valid using a function and refactoring rules
Full playlist: ua-cam.com/play/PLl-K7zZEsYLluG5MCVEzXAQ7ACZBCuZgZ.html
hero
Thank you so much
ZOV
Wow, easily the best video education series I've ever watched. Production quality through the roof and presenter is clearly knowledgable and able to communicate in a fun and direct way. Thank You!
Love this. Fast, efficient, clear, and engaging. This is exactly what I want to see in a technical video. No filler, no wasted time, not vague or confusing. Thank you!
Who else noticed that little thread on his right shoulder?! 😁 By the way, a great video! 👍👍
Omg now I can't watch the video
I went directly to the comments to see if I were alone noticing it haha (25s passed so far...)
That's the only reason I scrolled down to see the comments
that thread broke the security rules and listening the video!!
how could you NOT, like the thumb bandage one...
The whole series is great! I'm glad you aren't afraid of lengthy videos. The short videos on the channel are good too, but intermediate or more experienced developers want more details. Please keep this up!
Also, I feel I laughed more than I should at the "moist" joke :)
To be honest, I never realized how 22 minutes passed, like in a snap
Thank you for using a realistic use case like the restaurant app, with some decently complex data, instead of just a "to do app" like every other tutorial out there hah
Glad it was helpful!
Wow, this taught me everything I needed to know, thanks so much for uploading this video! 😊
I dunno what kinda docs you're taking about, but when I spent hours each night struggling to figure out these rules (which I eventually figured out), you answers all my questions in a single 20 min video.
Looking forward at early 2019 for Todd's video on #7- Hey we updated Firestore to support Geoqueries, collection group queries,OR queries. 😁
Tod always provide a great perspective to look at thing, and create product that is easier for us developer to use
Security Rules, like the noun, but also Security Rules! like the verb... All I know is Database Robin Williams Rules!
Seriously thank you for making learning a new language much less intimidating
Best tutorial I have seen so far for learning the security rules :)
Just brilliant - so clear and simply explained - thank you!!!!
So nice with a high-quality tutorial series where the presenter is SO good that he doesn't need to beg the viewer to subscribe; we'll do it anyway! And share! Can't wait for the next instalment.
Did the example for matching google.com contain a bug because it also matches something@totallynotgoogle.com ?
What an awesome video, and now I've seen there's an entire series from this guy. explained it perfectly for my ape brain. Thank you!
How do you handle when people put random irrelevant data in a document? Is there a way to whitelist which fields are allowed on a document? This could be a security problem if they predict a field that we would add later.
Is Cloud Firestore a good selection for a bank account? Can it be safe and reliable to save people's money which is a number to the Cloud Firestore? My concern is reliability and security. Any suggestions?
Best videos series of this channel, as a developer I love it!
Love your entire series. Would love to see a video on perhaps the best ways to combine all the services together. For example in my current app, we are using realtime database, firestore, firebase authentication, storage and now cloud messaging. With so many products one could see how confusing the entire product ecosystem is...
Commonly a large company would have front AND backend devs working on a project. (assuming a 'traditional' server backend is involved). But with Firestore, is this still the case?... for example, with Firebase (and cloud functions, security rules, etc.) typically would this mostly still be done by a backend developer? Or with Firebase is the intent for the front end devs to do this themselves (and thus essentially be full stack)?
my exact question rn! seeing it's not being answered, I have to go elsewhere 😪
While running the Firestore Rules simulator, request.token seems to be null.
And if at all we provide it using Custom Auth Provider, we need to provide "super_admin" it at the "token" level, which is not the case with actual real world situation, as the custom claim is in "customClaims" property of "token" property.
TL;DR:
With simulation ->
"token":{
"super_admin":true
}
With real case ->
"token":{
"customClaims":{
"super_admin":true
}
}
Best tutorials for Firebase.
I like this guy. He's like my next-door uncle who always is funny and nice to people.
Great Series, the string cut the string.
What if technically someone retrieved information from my app and created his own with the same credentials? He can send to my database the same requests as I do, e.g. send message. I am really confused by it because my project information is public on my website.
for me ×0.75 playback speed is good
If you access to a document field from a security rule, does it count as a read? 💸
Great video, great episode: this answered a lot of questions I had regarding security for which I am grateful!
I still have one concern regarding security due to the schemaless nature of the database. How can I prevent malicious users from spamming my database by writing data to 'fields' I haven't defined? Because from what I understand, anybody with 'write' access to a certain documents can make a function that writes random key:value pairs to the database and run it from a console.
Is is possible to write a function that prevents all keys that aren't defined by me 'the programmer' to be written to the database?
Super awesome video thanks for making these and going into some detail!
Love the video! Thanks a lot for clear instructions. They have helped me a lot to improve my app!! It's nice to watch which gives an honest approach to the content.
Finally a video that explains this. Thanks, you helped a lot 😁
Is it true that using sub-collections basically is a kind of extra security? For example, you know that users can only get a sub-collection that belongs to a specific parent id, so unless they know all the parent ids and loop over that, there is no way they can just get a list of all the item in a sub-collection.
This is a great series. Please do a episode all about pagination.
Please, open the ability to translate subtitles to other languages. This material is interesting for many peoples. Not only for English speakers.
Even though it's possible to create Security Rules on each document-attribute, is it possible for a client to add new fields in the update? I can't help but thinking about having all updates/create go theough a Cloud Function first to make more fine-grained validation.
I have a question when we use the get() method at 16:50, does that get call count to my readers in firestore?
yes
is this any better or worse than using a node.js backend? It seems like a LOT of little rules to write when node.js would make it simpler or would it not?
So happy with this video. It really goes into proper depth and will definitely help me secure everything properly!
The local emulator definitely deserves another episode though (or maybe an example on git?), as the documentation is quite hard to comprehend fully.
how to allow only some specific internal ip addresses from login into my firebase auth login we app?? please provide me some tips it is turning like a nightmare.
Amazing! But, where did you get that sick sticker for the laptop? 😍
It would be the video if u even show the structure of firebase
I love your explanations mate!
If I write thorough security rules within Firestore, can I eliminate them from the client-side code entirely or should I have them in both places?
Your videos are a delight! Thank you :D
Glad you like them!
I don't know if something has changed at the moment, but it continues to appear in the documentation that the first thing we must put is "rules_version = '2';"; the truth is that it is the first error and it does not allow publishing only by placing that in the rules
When you have a "roles" map of uid => role, how can you validate to ensure only the owner can add/remove editors, but an editor can remove themselves from the map?
Nice Videos!
It'd be great if Summary of rules/points can be given in description section.
6:54 best thing i heard all day
security rulez!
Hi Guys. I implement Firestore within my Backend with Express and have all types of validations against Client side requests. Do i really still need to implement those rules ?
would have been great if you show us how the document snapshot looks like first
I really like the idea of all these videos, but because I’m a bit of a noob developer, I have a hard time picturing the use cases in real apps. What has always helped is having super basic apps using these cases and watching what happens instead of just discussing what would happen.
Excellent video, with a strong use case !
It says that the video will cover a case where access will be based on some other data in some other collection but then never covers this part. "Some other data located in some other part of your db"
Thanks Todd, super useful and relevant to my development efforts.
How can we stop users adding new properties for objects? E.g. I can validate the name and dob fields, but how do I stop them adding 50 new fields on an update for example?
if I choose to store my users info using the firebase auth user profile and use the user.diplayName field to store username, and on a Firestore collection('reviews') I have reference to the username. Say when I want to update a user's username (user.displayName), I also need to go and update all duplicated data on the reviews collection. My question is can I make a batch job that consists of a auth.updateProfile and a firestore.docRef.update?
Very nicely presented and explained. 👍
It would be great if you showed the structure inside the firebase dashboard as well... I can't get shit to work... I assume reviews are a subcollection of a first-level document the first level documents all represent a restaurant, right?... and the 'score' is a field inside the subcollections documents? I can't get nothing to show at all.. even if I just check request.resource.data.score is number.... ive tried adding score as a number and put in 3 in all places where I can make a field, I even only have 1 main document, and 1 document in the sub-collection, so a total of 2 places where I have put in 3 as a number with a key as score ... but yet I'm denied access...
The only thing that works for me is to check if the user is logged in... then I can access it all, no other rules work for me...
Wow this is explained very well, nice vid
Could you do a video on Firestore pagination? Thank you very much for your video ;)
How about a crud datatable with sort, pagination and search, all server side
Club Databass 😂
Awesome video BTW, I learned a lot.
ohhh thanks so much.. i had two days trying to understand ... thank you.
Lets say i have school. teacher wants to create collection in document for specific students, and few documents for all students in calss . how can i model this ?? I cant assign roles at such granular control
Why is there a fox trying to eat a bird on the laptop cover? What does it mean?
What programming language is that?
To use the Security rules i must use Firebase auth?
You mentioned leaking private data because you can only get a whole document, and so separating into a "private" document with security rule is needed. (e.g. you should not store user's sensitive data in the same document as public data) However when I look at REST API it looks like getting a partial document is supported by DocumentMask. firebase.google.com/docs/firestore/reference/rest/v1beta1/projects.databases.documents/get Is it just updated?
From my understanding, if your client is following the exact code of your app, this is correct, there's nothing to worry about. But let's pretend for a moment that the client is a malicious user. If all the private fields are grouped with the public fields, you can't have separate security rules for the fields. And thus, that malicious user who is able to request data by pretending to be sent from your app would get private data - something that you wouldn't want.
it's only now hitting me that i created an entire backend for my app because i didnt understand security rules and therefore couldnt open up writes to the frontend 😥😥
The fox on the computer looks a lot like the Firefox... :)
how to fetch a particular fields from the firestore in angular firebase
How do i navigate to two worded collections like ‘user record’? ex: match/ user record/{urId}
hi sir, thanx for making this video. but i have some error i am facing right now. error is: Listen for Query(users/-M9hU8UJtjjJws3-_UYE) failed: Status{code=PERMISSION_DENIED, description=Missing or insufficient permissions., cause=null}. And query : future: Firestore.instance.collection("users").document(widget.profileID).get(),
builder: (context, snapshot) . how to fix?
haha, that IAM joke was really nice
Very useful tutorial! Thanks!
please you can explain how to use firebase database REST API
I really wish you showed your actual Firestore Database structure 😕
This guy cracks me up
i can't understand how this rules works 😥 check booleans don't stop someone to make a request data pass through the rules
This is awesome! We still need a backup solution that does not cost 1000$
i always thought the cloud functions would be handling all this stuff..
me too but I think this is better because no need to pay for cloud functions this way
Man i like ur vids, always .
Normally, I would hate these corny jokes. But I love these.
Great video! Keep it up!
So is it todd_tacos or todds_tacos??
my firestore work only in one device or on emulator.Whyyyyy?
Hi brother can u help me pls. I have this security rules for an ecommerce site but why is it that the products are not showing unless I do allow access top the shallowest match path. This line below, knowing if I allow read access to this line then everyone can read all my documents even those I want to set private.
match /{document=**} {
allow read if false;
// I have to set this to true before all products for selling by all users are displayed in the dashboards of any user. So I cannot do selective securty if I do set it to true since everything is allowed to be read.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read,create,update,delete: if false;
match /users/{uid}{
allow read;
allow update:if request.auth.uid == uid;
match /users/{uid}/products {
allow read;
allow create: if request.auth.uid != null;
match /users/{uid}/products/{product}{
allow read;
allow create: if request.auth.uid != null;
allow delete,update: if request.auth.uid == uid;
}
}
}
}
}
}
this guy is awesome! I've become a fan
how to use pagination?
@@ToddKerpelmanCorp That is really great news. I had just requested that in my recent comment.
How can i block any http get request even if i havent written any rules???
Upvoted, even tho i cant get mine to work... only != null will work, all other rules will fuck me up
This genuinely is one of the more enjoyable "tooling how to" videos that I've seen. Great work Todd and Firebase team!
How can I make a collection of users with their email & displayName searchable, so you can search for your friend via email or displayName, but disallow someone from getting all these user documents with the email addresses and displayNames inside?
stackoverflow.com/questions/54174979/how-to-protect-email-addresses-but-make-them-searchable-with-firestore
Is there a way to write a rule that limit the number of documents a user can create ?
Aah yes. For that you need to have a field in user's document that contains the number of documents a user does have right now. And then you can create a rule to allow or reject based on that field.
And for that field, I think you need to create a cloud function that updates this field every time your user create/delete a document. Happy coding
this is great!!
hidden got you in Firebase
When I try to aply rules I get this error: No se han podido guardar las reglas: Línea 1: Parse error.
Like this:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
}
}