Rules don't have a way to perform pure unit tests, but there is a local emulator that you can use to see if you rules allow or deny access to data that you populate in a local instance of Cloud Firestore. If you want to get started with that today, you can check out the documentation and sample project. Eventually there will be a video or blog that goes into some more detail. firebase.google.com/docs/firestore/security/test-rules-emulator
Is there any good book that talks about all features of the security rules in a human way not documentation method that the only documentation writer fully understands it. I really ask a book with the similar content as these videos
They have official documentation on the Firebase website. Books are most likely non-existent and if they are, they have a significant chance to be outdated as changes are pretty frequent.
This is a great explanation, I'll implement support for group collection queries soon. I am wondering one thing though. In my project, the root collection contains documents with a certain document Id. I want to check this I'd within the group collection query security rule. Do I check the contents of prefix variable with a regex in this case? In other words, does the prefix also contain the path up until the history collection?
With collection group queries, the prefix wildcard won't have a value. That's because all possible documents have to be assessed with a single execution of the rule (otherwise, the rule wouldn't scale with large data sets). Since the prefix could be different across multiple collections, the rule system doesn't have a static value that can be used.
Thanks for the explanation, but there is too much terminology used in the explanation of the terminology, making this explanation confusing compared to the original one by Todd I believe.
Does this mean that we have to duplicate almost the entire logic of read/write access from our app into the Firestore Security Rules? All those nuances of who-can-read-where and under-which-circumstances may be pretty complex, and obviously are hard to implement with Security Rules syntax. Can we just stick with very basic restrictions, for example: Users can write: if Only authorized && only in their own collections and that's it? What are the chances someone will learn the paths and come up with some tricky requests to get/write from a restricted area?
Can you use node experimental es6 modules (import statements) with Firebase functions? I don't know how to use node's --experimental-modules flag with Firebase the serve command.
These clips are really good. Keep up the good work and, if you would not mind, do them at least twice as often.
I can't wait next one
Will there be a video on unit testing security rules?
Rules don't have a way to perform pure unit tests, but there is a local emulator that you can use to see if you rules allow or deny access to data that you populate in a local instance of Cloud Firestore. If you want to get started with that today, you can check out the documentation and sample project. Eventually there will be a video or blog that goes into some more detail.
firebase.google.com/docs/firestore/security/test-rules-emulator
@@dougstevenson3769 Thanks for the reply :)
Crystal clear explanation
Is there any good book that talks about all features of the security rules in a human way not documentation method that the only documentation writer fully understands it. I really ask a book with the similar content as these videos
They have official documentation on the Firebase website. Books are most likely non-existent and if they are, they have a significant chance to be outdated as changes are pretty frequent.
This is a great explanation, I'll implement support for group collection queries soon. I am wondering one thing though. In my project, the root collection contains documents with a certain document Id. I want to check this I'd within the group collection query security rule. Do I check the contents of prefix variable with a regex in this case? In other words, does the prefix also contain the path up until the history collection?
With collection group queries, the prefix wildcard won't have a value. That's because all possible documents have to be assessed with a single execution of the rule (otherwise, the rule wouldn't scale with large data sets). Since the prefix could be different across multiple collections, the rule system doesn't have a static value that can be used.
Thanks for the explanation, but there is too much terminology used in the explanation of the terminology, making this explanation confusing compared to the original one by Todd I believe.
Does this mean that we have to duplicate almost the entire logic of read/write access from our app into the Firestore Security Rules?
All those nuances of who-can-read-where and under-which-circumstances may be pretty complex, and obviously are hard to implement with Security Rules syntax.
Can we just stick with very basic restrictions, for example:
Users can write: if Only authorized && only in their own collections
and that's it?
What are the chances someone will learn the paths and come up with some tricky requests to get/write from a restricted area?
Can you use node experimental es6 modules (import statements) with Firebase functions? I don't know how to use node's --experimental-modules flag with Firebase the serve command.