Is it a good security rules practice?

Database & APIs

Hello. Is it a good practice to not allow users in the firestore rules to create/edit/delete documents but give them this possibility only with backend of the app? Or maybe it is a good practice only for certain types of the documents? Please let e know, thank you.

EDIT: Or maybe since flutterflow is an 'editor' in the firebase I should say that users cannot do all of that unless their email matches the flutterflow's one? Which would basically mean that if any action wasn't performed in my app it basically didn't happen. Does it make sense?

What have you tried so far?

I've read a lot and watched firestore yt series

Did you check FlutterFlow's Documentation for this topic?
Yes
9 replies