Cloud Firestore Enterprise edition in Native mode is now available! Learn more.

Security Rules for Pipeline operations

While Pipeline operations offer a rich set of features, the Rules engine is restricted to recognizing comparison (e.g. > ) and logical (e.g. or ) filters to ensure constraint satisfiability and security.

Supported Filter Expressions

For Pipeline operations to be constrained to the bounds set by your rules, it must use logical and comparison operators against constants. The following filter types are recognized by the Rules engine:

Comparisons: eq , neq , gt , gte , lt , lte , in , arrayContains .
Logical: and , or .

Here are some examples:

where(eq("foo", 2))
where(lt("foo", 2))
documents("/user/1", "/user/2").where(...)

Request Properties

You can continue to use the request object to validate authentication and query context, though some properties available in standard queries are not supported in Pipeline operations.

Supported properties

The new engine continues to support the following properties:

request.auth : Access user uid and token data.
request.method : Identifies the operation (For example, get , list ).
request.path : The path of the resource being accessed.
request.time : The server-side timestamp of the request.

Unsupported properties

The request.query properties such as limit , offset , and orderBy are unsupported for Pipeline operations rule checks due to the complexity of determining these values in multi-stage queries.

Pipeline stage handling and permissions

There are different pipeline stages that map to specific granular operations in security rules:

allow list permissions: Triggered by collection() , collectionGroup() , and database() stages.
allow get permissions: Triggered by the documents() stage, which is treated similarly to a batch get operation.
Literals stage: The literals() stage does not read from the database but can incur costs. To prevent abuse, it must be paired with another stage (like collection() ) that can be verified by rules.

Field modification stages

Rules only operate on stored data and not derived values. If a pipeline includes stages that modify fields (For example, add_fields(...) , replace_with(...) , select(...) , remove_fields(...) ), the Rules engine stops applying filter constraints after that stage is encountered. To ensure that rules works as expected, position your filter stages (i.e. where ) before any stages that can modify the original stored documents.

For example, take the following security rule:

  match 
  
 / 
 databases 
 / 
 { 
 database 
 } 
 / 
 documents 
  
 { 
  
 match 
  
 /cities/{city 
 } 
  
 { 
  
 // 
  
 Allow 
  
 the 
  
 user 
  
 to 
  
 read 
  
 data 
  
 if 
  
 the 
  
 document 
  
 has 
  
 the 
  
 'visibility' 
  
 // 
  
 field 
  
 set 
  
 to 
  
 'public' 
  
 allow 
  
 read 
 : 
  
 if 
  
 resource 
 . 
 data 
 . 
 visibility 
  
 == 
  
 'public' 
 ; 
  
 } 
 }

Denied : This rule rejects the following pipeline because the addFields stage occurs before filtering to documents where visibility is public :

  const 
  
 results 
  
 = 
  
 await 
  
 db 
 . 
 pipeline 
 () 
  
 . 
 collection 
 ( 
 "/cities" 
 ) 
  
 // Filters after a modification stage are ignored by Rules. 
  
 . 
 addFields 
 ( 
 constant 
 ( 
 1000 
 ). 
 as 
 ( 
 "population" 
 )) 
  
 . 
 where 
 ( 
 eq 
 ( 
 field 
 ( 
 "visibility" 
 ), 
  
 constant 
 ( 
 "public" 
 ))) 
  
 . 
 execute 
 ();

Allowed : This rule allows the following pipeline because the where(eq(field("visibility"), constant("public"))) stage occurs before any modification stages:

  const 
  
 results 
  
 = 
  
 await 
  
 db 
 . 
 pipeline 
 () 
  
 . 
 collection 
 ( 
 "/cities" 
 ) 
  
 . 
 where 
 ( 
 eq 
 ( 
 field 
 ( 
 "visibility" 
 ), 
  
 constant 
 ( 
 "public" 
 ))) 
  
 . 
 addFields 
 ( 
 constant 
 ( 
 1000 
 ). 
 as 
 ( 
 "population" 
 )) 
  
 . 
 execute 
 ();