Firebase with React, v2 Firebase with React, v2

Add Security Rules for Registration

Check out a free preview of the full Firebase with React, v2 course:
The "Add Security Rules for Registration" Lesson is part of the full, Firebase with React, v2 course featured in this preview video. Here's what you'd learn in this lesson:

Steve adds security rules so that users can read their own blog posts.

Get Unlimited Access Now

Transcript from the "Add Security Rules for Registration" Lesson

[00:00:00]
>> Steve: But first, why isn't it gonna work?
>> Speaker 2: Permissions.
>> Steve: Permissions. Permissions, the idea of either reading or writing is going to blow up. Because we went from a wild west of, do whatever you want to the database, to nothing, unless we say so. So now, it means we have to say so.

[00:00:25]
>> Steve: Cool, so let's flip over to those rules,
>> Steve: And we're gonna add a second rule here.
>> Steve: We're gonna say, for matching,
>> Steve: userId,
>> Steve: It's a profile, there's nothing secret in it, so we're gonna allow anyone to read them. You can imagine a world where it's like Twitter, eventually, we didn't build the UI for this.

[00:00:53] But you can imagine a world where they can go visit a given user, and maybe see all their posts, or something along those lines. So it makes sense to let someone read something, right? One quick thing that, as I think about it is, these security rules apply to the entire document, right?

[00:01:12] So if you're like, okay, I want to let them read X, Y, and Z properties, but not A, B, and C? You should either make a separate document, or maybe a sub-document in a collection, or something like that. But you can't say, only certain properties, they can either read the document or they can't read the document.

[00:01:28] All right, and then we'll allow write if the request.auth.uid == the userId of the document, so this idea up here.
>> Steve: So we'll save that,
>> Steve: And now we're gonna put it in the two places.
>> Steve: We'll go ahead, and in the SignUp,
>> Steve: We're gonna say,
>> Steve: createUserProfileDocument, with that user we just made, plus the displayName, that's that additional data.

[00:02:24]
>> Steve: All right, and then in the Application component,
>> Steve: We're gonna say,
>> Steve: So we should get back the full user at this point. We'll say, user, this needs to become an asynchronous function.
>> Steve: We'll say user is,
>> Steve: Now, if we think about the code, it conditionally checks to see if it exists, but it always returns, getting the document, no matter what.

[00:03:02] So it basically just saved us some conditional logic, with this way, we don't have to call both. We can call it, it will only create the document if it needs to, and we'll get it back, no matter what.
>> Steve: We'll call this,
>> Steve: userAuth, I just can't name them both user.