This page builds on the concepts inStructuring Security Rules andWriting Conditions for Security Rules to explain howCloud Firestore Security Rules interact with queries. It takes a closer look at howsecurity rules affect the queries you can write and describes how to ensure yourqueries use the same constraints as your security rules. This page alsodescribes how to write security rules to allow or deny queries based on queryproperties likelimit andorderBy.

Rules are not filters

When writing queries to retrieve documents, keep in mind that security rules arenot filters—queries are all or nothing. To save you time and resources,Cloud Firestore evaluates a query against its potential result setinstead of the actual field values for all of your documents. If a query couldpotentially return documents that the client does not have permission to read,the entire request fails.

Secure and query documents based onauth.uid

The following example demonstrates how to write a query to retrieve documentsprotected by a security rule. Consider a database that contains a collection ofstory documents:

/stories/{storyid}

{  title: "A Great Story",  content: "Once upon a time...",  author: "some_auth_id",  published: false}

In addition to thetitle andcontent fields, each document stores theauthor andpublished fields to use for access control. These examples assumethe app usesFirebase Authentication to set theauthor fieldto the UID of the user who created the document. FirebaseAuthentication also populates therequest.auth variable inthe security rules.

The following security rule uses therequest.auth andresource.data variables to restrict read and write access for eachstory to its author:

servicecloud.firestore{match/databases/{database}/documents{match/stories/{storyid}{//Onlytheauthenticateduserwhoauthoredthedocumentcanreadorwriteallowread,write:ifrequest.auth!=null &&request.auth.uid==resource.data.author;}}}

Suppose that your app includes a page that shows the user a list ofstorydocuments that they authored. You might expect that you could use the followingquery to populate this page. However, this query will fail, because it does notinclude the same constraints as your security rules:

Invalid: Query constraints do not matchsecurity rules constraints

// This query will faildb.collection("stories").get()

The query failseven if the current user actually is the author of everystory document. The reason for this behavior is that whenCloud Firestore applies your security rules, it evaluates the queryagainst itspotential result set, not against theactual properties ofdocuments in your database. If a query couldpotentially include documentsthat violate your security rules, the query will fail.

In contrast, the following query succeeds, because it includes the sameconstraint on theauthor field as the security rules:

Valid: Query constraints match securityrules constraints

varuser=firebase.auth().currentUser;db.collection("stories").where("author","==",user.uid).get()

Secure and query documents based on a field

To further demonstrate the interaction between queries and rules, the securityrules below expand read access for thestories collection to allow any user toreadstory documents where thepublished field is set totrue.

servicecloud.firestore{match/databases/{database}/documents{match/stories/{storyid}{//Anyonecanreadapublishedstory;onlystoryauthorscanreadunpublishedstoriesallowread:ifresource.data.published==true||(request.auth!=null &&request.auth.uid==resource.data.author);//Onlystoryauthorscanwriteallowwrite:ifrequest.auth!=null &&request.auth.uid==resource.data.author;}}}

The query for published pages must include the same constraints as the securityrules:

db.collection("stories").where("published", "==", true).get()

The query constraint.where("published", "==", true) guarantees thatresource.data.published istrue for any result. Therefore, this querysatisfies the security rules and is allowed to read data.

OR queries

When evaluating a logicalOR query (or,in, orarray-contains-any)against a ruleset,Cloud Firestore evaluates each comparison valueseparately. Each comparison value must meet the security rule constraints. Forexample, for thefollowing rule:

match/mydocuments/{doc}{allowread:ifresource.data.x >5;}

Invalid: Query does not guarantee thatx > 5 for all potential documents

// These queries will failquery(db.collection("mydocuments"),or(where("x","==",1),where("x","==",6)))query(db.collection("mydocuments"),where("x","in",[1,3,6,42,99]))

Valid: Query guarantees thatx > 5 for all potential documents

query(db.collection("mydocuments"),      or(where("x", "==", 6),         where("x", "==", 42)      )    )query(db.collection("mydocuments"),      where("x", "in", [6, 42, 99, 105, 200])    )

Evaluating constraints on queries

Your security rules can also accept or deny queries based on their constraints.Therequest.query variable contains thelimit,offset,andorderBy properties of a query. For example, your security rulescan deny any query that doesn't limit the maximum number of documentsretrieved to a certain range:

allowlist:ifrequest.query.limit<=10;

The following ruleset demonstrates how to write security rules that evaluateconstraints placed on queries. This example expands the previousstoriesruleset with the following changes:

• The ruleset separates the read rule into rules forget andlist.
• Theget rule restricts retrieval of single documents to public documents ordocuments the user authored.
• Thelist rule applies the same restrictions asget but for queries. Italso checks the query limit, then denies any query without a limit or with alimit greater than 10.
• The ruleset defines anauthorOrPublished() function to avoid codeduplication.

servicecloud.firestore{match/databases/{database}/documents{match/stories/{storyid}{//Returns`true`iftherequestedstoryis'published'//ortheuserauthoredthestoryfunctionauthorOrPublished(){returnresource.data.published==true||request.auth.uid==resource.data.author;}//Denyanyquerynotlimitedto10orfewerdocuments//Anyonecanquerypublishedstories//Authorscanquerytheirunpublishedstoriesallowlist:ifrequest.query.limit<=10&&authorOrPublished();//Anyonecanretrieveapublishedstory//Onlyastory's author can retrieve an unpublished story      allow get: if authorOrPublished();      // Only a story'sauthorcanwritetoastoryallowwrite:ifrequest.auth.uid==resource.data.author;}}}

Collection group queries and security rules

By default, queries are scoped to a single collection and they retrieve resultsonly from that collection. Withcollection group queries, you canretrieve results from a collection group consisting of all collections with thesame ID. This section describes how to secure your collection group queriesusing security rules.

Secure and query documents based on collection groups

In your security rules, you must explicitly allowcollection group queries by writing a rule for the collection group:

1. Make surerules_version = '2'; is the first line of your ruleset. Collectiongroup queries require thenew recursive wildcard{name=**} behavior of securityrules version 2.
2. Write a rule for your collection group usingmatch /{path=**}/[COLLECTION_ID]/{doc}.

For example, consider a forum organized intoforum documents containingposts subcollections:

/forums/{forumid}/posts/{postid}

{  author: "some_auth_id",  authorname: "some_username",  content: "I just read a great story.",}

In this application, we make posts editable by their owners and readable byauthenticated users:

servicecloud.firestore{match/databases/{database}/documents{match/forums/{forumid}/posts/{post}{//Onlyauthenticateduserscanreadallowread:ifrequest.auth!=null;//Onlythepostauthorcanwriteallowwrite:ifrequest.auth!=null &&request.auth.uid==resource.data.author;}}}

Any authenticated user can retrieve the posts of any single forum:

db.collection("forums/technology/posts").get()

But what if you want to show the current user their posts across all forums?You can use acollection group query to retrieveresults from allposts collections:

varuser=firebase.auth().currentUser;db.collectionGroup("posts").where("author","==",user.uid).get()

rules_version='2';servicecloud.firestore{match/databases/{database}/documents{//Authenticateduserscanquerythepostscollectiongroup//Appliestocollectionqueries,collectiongroupqueries,and//singledocumentretrievalsmatch/{path=**}/posts/{post}{allowread:ifrequest.auth!=null;}match/forums/{forumid}/posts/{postid}{//Onlyapost'sauthorcanwritetoapostallowwrite:ifrequest.auth!=null &&request.auth.uid==resource.data.author;}}}

{  author: "some_auth_id",  authorname: "some_username",  content: "I just read a great story.",  published: false}

rules_version='2';servicecloud.firestore{match/databases/{database}/documents{//Returns`true`iftherequestedpostis'published'//ortheuserauthoredthepostfunctionauthorOrPublished(){returnresource.data.published==true||request.auth.uid==resource.data.author;}match/{path=**}/posts/{post}{//Anyonecanquerypublishedposts//Authorscanquerytheirunpublishedpostsallowlist:ifauthorOrPublished();//Anyonecanretrieveapublishedpost//Authorscanretrieveanunpublishedpostallowget:ifauthorOrPublished();}match/forums/{forumid}/posts/{postid}{//Onlyapost's author can write to a post      allow write: if request.auth.uid == resource.data.author;    }  }}

{  amount: 100,  exchange: 'some_exchange_name',  timestamp: April 1, 2019 at 12:00:00 PM UTC-7,  user: "some_auth_id",}

rules_version='2';servicecloud.firestore{match/databases/{database}/documents{match/{path=**}/transactions/{transaction}{//Authenticateduserscanretrieveonlytheirowntransactionsallowread:ifresource.data.user==request.auth.uid;}match/users/{userid}/exchange/{exchangeid}/transactions/{transaction}{//Authenticateduserscanwritetotheirowntransactionssubcollections//Writesmustpopulatetheuserfieldwiththecorrectauthidallowwrite:ifuserid==request.auth.uid &&request.data.user==request.auth.uid}}}

• For a more detailed example of role-based access control, seeSecuring DataAccess for Users and Groups.
• Read thesecurity rules reference.