Firebase Security Rules Release Notes

To review release notes for the Firebase console and for other Firebase platforms and related SDKs, refer to the Firebase Release Notes.

September 22, 2022

  • Cross-service Rules (Rules Language enhancement). We're excited to deliver one of the most popular feature requests for Security Rules. Security Rules in Cloud Storage for Firebase now supports cross-service Rules with two brand new functions, firestore.get() and firestore.exists(). These functions let you query your project's Firestore data, similar to the get() and exists() functions in Firestore Rules.

July 8 2021

  • Requests Monitor Rules lets you inspect requests made to your local Firestore Emulator in real-time, including the request method, path, and how Security Rules were evaluated. Check out this blog post for more detail. It's available in the Emulator Suite that shipped in the Firebase CLI v9.16.0.

March 25, 2020

  • Type Checks Rules now checks for common type errors and warnings in the CLI, the Firebase Console, and the Emulator Suite. Errors will block using or deploying your rules, but warnings will not. Take a look at the examples below. Available in Rules Language v1, v2.

  • Rules Playground You can now debug your Firestore and Storage rules in the console by hovering over expressions in the Rules Playground. Check out the documentation or example below for more details.

February 13, 2020

  • Map Diffs (Rules Language enhancement). Map Diffs give the difference between maps. Since request and resource objects are structured as maps, this is great for diffing old and new data. Take a look at the documentation and the examples below. Available in Rules Language v1, v2.

  • Local Variables (Rules Language enhancement). Local variables are now supported in Security Rules! Create a local variable in rules functions by using the keyword let. Take a look at the documentation and the examples below. Available in Rules Language v2.

  • Ternary Operators (Rules Language enhancement). If your Security Rules contain complex control flow, you'll appreciate that there's now a Ternary Operator in Rules for Firestore and Storage. It works just as you'd expect: condition ? true case : false case. Take a look at the documentation and the examples below. Available in Rules Language v1, v2.

December 9, 2019

  • Set type (Rules Language enhancement). Sets are now a supported type in Firebase Security Rules! This is great for enforcing required and optional fields. Lists can be converted into Sets by calling myList.toSet(). Available in Firebase Security Rules Language v1, v2.

  • Rule evaluation metrics in Stackdriver. Rule evaluation metrics are now exported from Firebase into Stackdriver for Cloud Firestore, the Realtime Database, and Cloud Storage! This lets you set up monitoring and alerting around authorization requests for your app. Available in Rules Language v1, v2.

October 8, 2019

  • Map get (Rules Language enhancement). Fetching values within a map just got easier with get. It takes two arguments: the first is the key within the Map, and the second is a default value to return if the key doesn't exist. Check out the documentation and the following examples. Available in Rules Language v1, v2.

  • Hashing (Rules Language enhancement). Ever want to hash a value in Firebase Security Rules, either to obscure content that you don't want in plaintext or to avoid handling something unwieldy? Now that that Hashing is available in Firebase Security Rules, you can! Take a look at the documentation and the examples below. Available in Rules Language v1, v2.

  • String replace (Rules Language enhancement). Sometimes a String in your Rules isn't exactly in the form you need it. Now you have String.replace() to do some light cleanup. It works like you would guess: "myString".replace("my", "your") => "yourString". This function is described in the documentation and another example is shown below. Available in Firebase Security Rules Language v1, v2.