Firestore security rules for public and private fields

Question

As for security rules of Firebase Realtime Database, both public and private data can exist in the same tree using such as the following rule.

However, when using Fi

Answer 1

So you can't have separate security rules for separate parts of a document. You can either read the entire document, or you can't.

That said, if you wanted to give your userID document a "public" and "private" subcollection that contained documents that were public and private, that's something you can totally do, just not in the way you've currently set up your security rules.

The match /{private=**} bit as you've written it doesn't mean, "Match any subcollection that's called 'private'". It means, "Match any subcollection, no matter what, and then assign it to a variable called private". The "Recursive matching with wildcards" section of the docs covers this in more detail.

Also, you need to reference request.auth.uid to get the user's ID.

So, you probably want something more like this:

// Firestore
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      // You'll probably want to add security rules around the user document 
      // itself. For now, though, let's look at our subcollections:

      match /private/{anything=**} {
        // Only the user can read documents in their private collection
        allow read, write: if request.auth.uid == userId;
      }

      match /public/{anything=**} {
        // Anybody can read documents here, as long as they're signed in
        allow read, write: if request.auth != null;
      }
    }
  }
}