32 Rule Structure and Syntax
- Rule Definition and Path Matching
- Supported Methods and Condition Expressions
- Rule Evaluation and Deployment
Parent topic: Security Rules
32.1 Rule Definition and Path Matching
Security rules in Oracle Backend for Firebase are defined using a structured block format that specifies:
-
The path to the resource (collection, document, or file)
-
The methods allowed (
get,list,create,update,delete) -
The condition under which access is granted
The following is the basic rule template:
match /<path> {
allow <method(s)>: if <condition>;
}
-
match: Defines the path to the resource -
allow: Specifies the operation(s) permitted -
if: Contains the CEL expression that must evaluate totrue
Path Matching
Oracle Backend for Firebase supports flexible path definitions:
- Exact
Path:
match /users/{uid}/recipes { allow get: if true; } - Wildcard Path (Use
{}to match dynamic segments:):match /users/{userid}/recipes/{recipeid} { allow update: if request.auth.uid == resource.data.uuid; } - Deep Wildcard (
**)This applies to nested subcollections or files:
match /users/{userid}/{document=**} { allow read: if request.auth != null; }
Parent topic: Rule Structure and Syntax
32.2 Supported Methods and Condition Expressions
Each rule must specify one or more of the following operations:
| Method | Description |
|---|---|
|
|
Read a single document or file |
|
|
Query multiple documents or files |
read |
Applies to both single document reads and collection reads and used only when get or list is not explicitly defined |
|
|
Add a new document or upload a file |
|
|
Modify an existing document or file |
write |
Applies to all write operations (create, update, delete) and used only when no specific write methods are defined |
|
|
Remove a document or file |
You can combine multiple methods in a rule:
allow get, list: if resource.data.isPublic == true;
Condition Expressions
Conditions are written in CEL and must return a boolean value. They can reference:
-
request.auth: Authenticated user context -
request.resource.data: Incoming data -
resource.data: Stored data -
request.time,request.path,request.method
Example 32-1 Owner-Only Update
allow update: if request.auth.uid == resource.data.uuid;
Example 32-2 Attribute-Level Filter
allow get: if resource.data.isPublic == true;
Parent topic: Rule Structure and Syntax
32.3 Rule Evaluation and Deployment
Each rule follows the following evaluation flow:
-
Match block is selected based on the request path
-
Method is checked against the requested operation
-
Condition is evaluated using request and resource context
-
If the condition returns
true, access is granted
Rules are defined per collection or file path using the Console UI.
Parent topic: Rule Structure and Syntax