Thank you for your feedback, Sahan! Don't forget to check out the Codelab link below for a more hands-on experience 😄: Protect Your Data with Firestore Security Rules → goo.gle/3Hoh64w
I watched this video earlier and found you were answering questions that I had in mind, and I didn't know your Firebase videos included explanations to further knowledge on your Firebase docs, so it's really good to get this practical side from you and I will definitely be looking out for more ... It was Todd's video on unit testing that had me seeking videos by Rachel ... I think to add to the learning that is intended, that screenshots of the Firestore environment could be included for an explanation of how the values in rules or within Firestore correspond ... Right now I'm at 4:47 and I have a question ... The rule says allow 'create' if the ownerUID of an existing todo-collection document matches the user-identity of the current user ... My question is, would this rule work? Because 'create' seems to initiate a new document, so then I expect there to not be an existing document that would be relevant, or, at the very first time this rule is run, I would expect there'd be no possibility of a corresponding document ... Am I correct in this view or is there something I have misinterpreted here please?
At 5:14 I have just noticed something for the first time ... The get( ) call begins with the name of the collection and not with /databases/{database}/documents/ etc ... My question is, under which circumstances could I get away with making a get( ) call in this way please? When is it okay to leave out /databases/ etc. and if the collection within the get( ) call is a sub-collection, could that collection be stated without also stating its parent collection?
Just getting started with them (already behind the 8-ball as I developed app with auth barely in the back of my mind) ... this was great info. Going to catch some more videos before I embark ... and will still be ready to revamp as I get more familiar with it.
I think there's a bug in this example: `allow create: if resource.data.ownerUID == request.auth.uid`. In a create scenario, resource will always be null and that rule will always throw an exception, resulting in permission denied. I think you want `request.resourse.data.ownerUID`.
This is actually not a bug. It insures that no body can hijack the user session and in your front end you have to provide the Auth.UID within the payload of your document. So every document has owner (Auth.UID). Hope it's clear now.
I think it is a bug too. As a matter of fact at 4:09, they tell you that "Resource object is the document that the user is trying to access as it is currently written in the database. If this is the create method, the resource object will be empty."
Question: I have used firebase for Unity extensively, within the Unity library you can import just firebase.authentication as a library and use it for authentication purposes. Now I am working on a python project using Django, and I want to use Firebase, I can see that there are some third-party libraries like pirebase, pirebase4 but no official firebase python library for authentication. Is the firebase_admin library a good choice? as it's available for python and does authentication.
Hi Bost, check out this other video I made earlier: th-cam.com/video/rbuSx1yEgV8/w-d-xo.html (Getting started with Firebase Authentication on the web - Firebase Fundamentals) - it covers how to monitor authentication state using onAuthStateChanged.
@@PeterFriese Hi there, I have tried this already, however when I try logging in to one page, it says my user is null on other pages. This is very frustrating as the user has to login to each page that requires login.
Rules are written at the document level, not the field level. You can write a rule that only allows updates if a specific field is updated, but if you want to set different access controls on a specific field, pull that into a different document. Subcollections are great for that.
Good video, but wrong title, it's not a deep dive, but a quick overview. A deep dive video should be much more detailed and longer, but good introduction.
A rule can't "overwrite" another rule; any rule can grant *additional* access. This grants global access to admins; modify for however you're tracking admins: ``` rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { // Allow admins to read or write to any document match /{document=**} { allow read, write: if auth.token.isAdmin == true; } // Rules for non-admins // Blog posts match /posts/{postID} { allow create: if ; ... } } } ```
What a clear explanation this was. Slow and clever. Thanks 😊
Thank you for your feedback, Sahan! Don't forget to check out the Codelab link below for a more hands-on experience 😄:
Protect Your Data with Firestore Security Rules → goo.gle/3Hoh64w
I watched this video earlier and found you were answering questions that I had in mind, and I didn't know your Firebase videos included explanations to further knowledge on your Firebase docs, so it's really good to get this practical side from you and I will definitely be looking out for more ... It was Todd's video on unit testing that had me seeking videos by Rachel ... I think to add to the learning that is intended, that screenshots of the Firestore environment could be included for an explanation of how the values in rules or within Firestore correspond ... Right now I'm at 4:47 and I have a question ... The rule says allow 'create' if the ownerUID of an existing todo-collection document matches the user-identity of the current user ... My question is, would this rule work? Because 'create' seems to initiate a new document, so then I expect there to not be an existing document that would be relevant, or, at the very first time this rule is run, I would expect there'd be no possibility of a corresponding document ... Am I correct in this view or is there something I have misinterpreted here please?
I love firebase security rules, easy to understand and simple to test
I don't agree with the second part specially if you don't have the emulators
At 5:14 I have just noticed something for the first time ... The get( ) call begins with the name of the collection and not with /databases/{database}/documents/ etc ... My question is, under which circumstances could I get away with making a get( ) call in this way please? When is it okay to leave out /databases/ etc. and if the collection within the get( ) call is a sub-collection, could that collection be stated without also stating its parent collection?
Just getting started with them (already behind the 8-ball as I developed app with auth barely in the back of my mind) ... this was great info. Going to catch some more videos before I embark ... and will still be ready to revamp as I get more familiar with it.
This video is great. Thank you.
this video saved my life. nice tutorial
This was super informative!
Very well explained.
Glad you liked it
I learned more. Thanks a lot
Hello. What is the same way for Real Time Database?. Why all videos is only firestore?.
I think there's a bug in this example: `allow create: if resource.data.ownerUID == request.auth.uid`. In a create scenario, resource will always be null and that rule will always throw an exception, resulting in permission denied. I think you want `request.resourse.data.ownerUID`.
This is actually not a bug. It insures that no body can hijack the user session and in your front end you have to provide the Auth.UID within the payload of your document.
So every document has owner (Auth.UID).
Hope it's clear now.
@@3mro_coding I think it's just a typo and what they really want is `request.resourse.data.ownerUID`
@@3mro_coding Please explain this more. I don't get what you are saying.
I think it is a bug too. As a matter of fact at 4:09, they tell you that "Resource object is the document that the user is trying to access as it is currently written in the database. If this is the create method, the resource object will be empty."
Great video, this helps out a bunch! Thanks.
Is there a way to create custom functions in rtdb rules as well? I have to repeat the same rules over and over again and my code is becoming a mess...
Honestly, the best way to maintain RTDB rules is using BOLT to generate rules. github.com/FirebaseExtended/bolt/blob/master/docs/guide.md
Question: I have used firebase for Unity extensively, within the Unity library you can import just firebase.authentication as a library and use it for authentication purposes. Now I am working on a python project using Django, and I want to use Firebase, I can see that there are some third-party libraries like pirebase, pirebase4 but no official firebase python library for authentication. Is the firebase_admin library a good choice? as it's available for python and does authentication.
Interesting ❤❤❤
With Firebase auth, how can I make it where you only need to login to homepage to get same account logged in on different pages??
Hi Bost, check out this other video I made earlier: th-cam.com/video/rbuSx1yEgV8/w-d-xo.html (Getting started with Firebase Authentication on the web - Firebase Fundamentals) - it covers how to monitor authentication state using onAuthStateChanged.
@@PeterFriese Hi there, I have tried this already, however when I try logging in to one page, it says my user is null on other pages. This is very frustrating as the user has to login to each page that requires login.
Thank you. However, is it possible to add a security rule which is only invoke when there is an attempt to update a particular field in a document?
Rules are written at the document level, not the field level. You can write a rule that only allows updates if a specific field is updated, but if you want to set different access controls on a specific field, pull that into a different document. Subcollections are great for that.
@@rachelmmyers Thank you some much
It's almost impossible to not have a server. You will need to execute code elsewhere. That's where cloud functions come in.
❤❤❤
I love you so muchhhhh
TIL , thank you
You have to love Firebase ♥️
Good video, but wrong title, it's not a deep dive, but a quick overview. A deep dive video should be much more detailed and longer, but good introduction.
I m worried about firebase billing if my social media reached more then 1 million user 😭
hello sir, If i have a 'admin role' can read and write every documents, how can i write this role which overwrites other roles?
A rule can't "overwrite" another rule; any rule can grant *additional* access. This grants global access to admins; modify for however you're tracking admins:
```
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Allow admins to read or write to any document
match /{document=**} {
allow read, write: if auth.token.isAdmin == true;
}
// Rules for non-admins
// Blog posts
match /posts/{postID} {
allow create: if ;
...
}
}
}
```
@@rachelmmyers thank you so muchhh