Explore the fundamentals of Firestore security rules with this quiz, designed to help you understand how to control access and protect your cloud database. Learn about rule structure, permissions, and best practices for securing Firestore data with real-world scenarios.
Which line correctly starts a Firestore security rule for a collection named 'users'?
Explanation: The 'match /users/{userId} {' statement correctly defines the path for rules targeting each document in the 'users' collection. 'route /users:id {' and 'path /users(userId) {' are not valid syntax in Firestore rule definitions. 'collection users(*userId) {' uses incorrect syntax and will cause an error. Only 'match' is used to declare rule paths.
To allow anyone to read documents in the 'posts' collection but restrict write access, which rule is appropriate?
Explanation: The correct answer uses 'allow read: if true;' to permit all reads and 'allow write: if false;' to deny writes. 'allow get' and 'allow put' do not accurately describe Firestore operations. 'allow all: if true;' is not valid syntax. Allowing 'write' without restriction would let anyone modify data, which is not desired here.
In the rule 'match /items/{itemId} { ... }', what does '{itemId}' represent?
Explanation: '{itemId}' serves as a wildcard, allowing the rule to apply to any document in the 'items' collection regardless of its specific ID. It does not refer to the database name or require documents to be named 'itemId'. The rule is not restricted to documents with the ID literally set as 'itemId', but works for any document under '/items/'.
To permit only authenticated users to read a collection, which condition should be used?
Explanation: The condition 'if request.auth != null' checks that a user is authenticated before granting access. 'if request.token.exists' is not valid Firestore syntax. 'if read.auth == true' and 'if auth.present' use incorrect property names and would not function as intended. Only 'request.auth' is the built-in way to refer to authentication data.
Which statement grants both read and write access within rules?
Explanation: 'allow read, write: if condition;' is the correct syntax to grant both read and write permissions based on a condition. The phrases 'accept get, set: if true;', 'enable access: if valid;', and 'permit all: if allowed;' are not recognized statements in Firestore rules and would cause syntax errors.
Which of the following is NOT a valid Firestore security rule operation?
Explanation: Firestore security rules recognize operations like 'update', 'delete', and 'list', but 'put' is not a valid operation. 'Update' refers to modifying existing documents, while 'delete' allows removing them. 'List' grants permission to retrieve multiple documents. 'Put' does not apply to Firestore rule operations.
In a rule, how can you restrict writing to a document only if a 'role' field equals 'admin'?
Explanation: The correct way is to use 'allow write: if resource.data.role == 'admin';', which checks the document's field value. 'allow write: if input.role = admin;' mixes up the syntax and operators. 'allow write: when data.role:admin;' is not valid syntax. 'allow write: if resource.value.role != admin;' uses the wrong property and the wrong comparison.
What is the effect of setting 'allow write: if false;' on a collection's rules?
Explanation: 'allow write: if false;' blocks all write operations, meaning no user can create, update, or delete documents in that collection. It does not permit admin-only access unless another rule says so. It does not permit creation of new documents and blocks all write actions, not just updates. It does not affect read operations, only write.
If multiple rules match a request, how does Firestore security determine access?
Explanation: Firestore security rules evaluate all matches and apply the most specific rule relevant to the requested path. It does not simply pick the first rule in the file, nor does it require all rules to allow access. In case of conflicts, the specific match determines the outcome, not the one that simply allows access.
What happens if there is no matching allow statement for a Firestore operation?
Explanation: If no allow rule matches a user's request, the default behavior is to deny access. There is no automatic approval or delayed review process. A syntax error only occurs if the security rules themselves are incorrectly written. Denial by default follows the principle of least privilege and protects data from unauthorized access.