Implement role-based access control by storing a role field (admin, editor, viewer) on each Firestore users document. Use On Page Load Conditional Actions to redirect unauthorized users, Conditional Visibility to hide UI elements per role, and Firestore Security Rules to enforce access server-side. Build an admin panel where admins can change user roles via a DropDown selector.
Authorization with Firestore roles and FlutterFlow page guards
Authentication proves WHO a user is; authorization decides WHAT they can do. This tutorial builds a complete RBAC system: a Firestore role field on user documents, page-level guards that redirect unauthorized users, Conditional Visibility that hides edit and delete buttons from viewers, Firestore Security Rules that enforce access even if someone bypasses the UI, and an admin panel where administrators can promote or demote users.
Prerequisites
- A FlutterFlow project with Firebase/Firestore connected
- Firebase Authentication enabled with at least two test users
- Basic understanding of Firestore document fields and Backend Queries
- Familiarity with Conditional Visibility in FlutterFlow
Step-by-step guide
Add a role field to the Firestore users collection
Add a role field to the Firestore users collection
Open the Firestore Schema in FlutterFlow and add a new field called role of type String to your users collection. Set the default value to viewer. The allowed values are admin, editor, and viewer. Manually set one test user's role to admin directly in the Firebase Console. This role field becomes the single source of truth for what each user is allowed to do throughout the app. Do not use an integer or boolean — a descriptive string enum is clearer and extensible if you add roles later.
Expected result: Every user document has a role field set to admin, editor, or viewer.
Create On Page Load guards to redirect unauthorized users
Create On Page Load guards to redirect unauthorized users
Open your admin-only page (e.g., AdminDashboard). In the Action Flow editor, add an On Page Load action. Insert a Conditional Action: if currentUserDocument.role is NOT equal to admin, execute Navigate To → HomePage with Replace Route enabled. This prevents non-admins from accessing the page even if they type the URL directly. Repeat for editor-only pages with the condition checking role != admin AND role != editor. The Replace Route option removes the restricted page from the navigation stack so the back button cannot return to it.
Expected result: Non-admin users who navigate to the admin page are immediately redirected to the home page.
Apply Conditional Visibility to role-gated UI elements
Apply Conditional Visibility to role-gated UI elements
Select any element that should only appear for certain roles — for example, an Edit button on a content card. In the Properties Panel, scroll to Conditional Visibility. Set the condition to currentUserDocument.role == admin OR currentUserDocument.role == editor. For delete buttons, restrict to admin only. For the admin navigation tab in a BottomNavigationBar, wrap it in a Container and apply Conditional Visibility where role == admin. This hides the UI for unauthorized users but remember: UI hiding alone is not security — Firestore Rules are the real enforcement.
Expected result: Viewers see only read-only UI. Editors see edit buttons. Admins see all controls including the admin nav tab.
Write Firestore Security Rules to enforce role-based writes
Write Firestore Security Rules to enforce role-based writes
In the Firebase Console under Firestore Rules, add rules that check the requesting user's role document before allowing writes. For a content collection: match /content/{docId} { allow read: if request.auth != null; allow create, update: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role in ['admin', 'editor']; allow delete: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'admin'; }. This ensures that even if someone bypasses the FlutterFlow UI and calls Firestore directly via the API, they cannot write or delete without the proper role.
1rules_version = '2';2service cloud.firestore {3 match /databases/{database}/documents {4 function userRole() {5 return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role;6 }7 match /content/{docId} {8 allow read: if request.auth != null;9 allow create, update: if userRole() in ['admin', 'editor'];10 allow delete: if userRole() == 'admin';11 }12 match /users/{userId} {13 allow read: if request.auth != null;14 allow update: if request.auth.uid == userId15 && request.resource.data.role == resource.data.role16 || userRole() == 'admin';17 }18 }19}Expected result: Firestore rejects unauthorized writes regardless of the client used.
Build the admin user-management panel
Build the admin user-management panel
Create a new page called AdminUserManagement. Add a ListView bound to a Backend Query on the users collection ordered by displayName ascending. Each list item Row contains a CircleImage for the avatar, a Text widget showing displayName, a Text showing email, and a DropDown widget populated with the values admin, editor, viewer. Bind the DropDown initial value to the user document's role field. On the DropDown's On Change action trigger, add an Update Document action targeting that user's document reference, setting the role field to the new DropDown value. Because your Firestore Rules restrict role changes to admins, only admin users can successfully execute this update.
Expected result: Admins can view all users in a list and change any user's role via a dropdown selector.
Complete working example
1Firestore Data Model:2└── users/{uid}3 ├── displayName: String4 ├── email: String5 ├── avatar: String (URL)6 └── role: String ("admin" | "editor" | "viewer", default: "viewer")78Page Guard Pattern (On Page Load):9├── AdminDashboard10│ └── On Page Load → Conditional Action11│ └── IF currentUserDocument.role != 'admin'12│ └── Navigate To: HomePage (Replace Route: ON)13├── EditorPage14│ └── On Page Load → Conditional Action15│ └── IF role NOT IN ['admin', 'editor']16│ └── Navigate To: HomePage (Replace Route: ON)1718Conditional Visibility per Role:19├── Edit Button → Visible IF role IN ['admin', 'editor']20├── Delete Button → Visible IF role == 'admin'21├── Admin Nav Tab → Visible IF role == 'admin'22└── Publish Toggle → Visible IF role IN ['admin', 'editor']2324Admin User Management Page:25├── AppBar: Title "User Management"26└── ListView (query: users, orderBy: displayName ASC)27 └── Row28 ├── CircleImage (avatar, 40x40)29 ├── Column30 │ ├── Text (displayName, fontWeight: bold)31 │ └── Text (email, secondaryText)32 └── DropDown (values: admin/editor/viewer)33 ├── Initial Value: user.role34 └── On Change → Update Document (user.ref, role: newValue)3536Firestore Security Rules:37├── /content/* → read: authenticated; write: admin|editor; delete: admin38└── /users/{uid} → role field: only admin can change others' rolesCommon mistakes when creating a Role-Based Access Control System in FlutterFlow
Why it's a problem: Only hiding UI elements without Firestore Security Rules
How to avoid: Always pair UI-level Conditional Visibility with Firestore Security Rules that check the user's role document before allowing reads, writes, or deletes.
Why it's a problem: Storing the role in App State instead of Firestore
How to avoid: Always read the role from the Firestore user document (currentUserDocument.role). Firestore is the server-side source of truth that cannot be tampered with from the client.
Why it's a problem: Using Navigate instead of Navigate with Replace Route for page guards
How to avoid: Enable Replace Route on the Navigate action inside your On Page Load guard so the restricted page is removed from the stack entirely.
Best practices
- Use descriptive string roles (admin/editor/viewer) instead of numeric levels for clarity and extensibility
- Always enforce access in Firestore Security Rules — UI hiding is cosmetic, rules are the real gate
- Use Replace Route in page guards so the back button cannot return to restricted pages
- Add a confirmation dialog before role changes to prevent accidental promotions or demotions
- Restrict role field updates in Firestore Rules so only admins can change roles
- Log role changes in an audit_log collection for accountability
- Test with multiple accounts: verify each role sees only its allowed UI and can only perform its allowed actions
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
Design a Firestore Security Rules file for a FlutterFlow app with three roles: admin, editor, and viewer. The role is stored on each user's document at users/{uid}.role. Admins can read and write everything. Editors can read all and write to the content collection but not delete. Viewers can only read. Only admins can change another user's role field.
Create an admin user management page with a ListView of all users showing their avatar, display name, email, and a dropdown to change their role between admin, editor, and viewer. When the dropdown changes, update that user's Firestore document role field.
Frequently asked questions
What is the difference between authentication and authorization in FlutterFlow?
Authentication (Firebase Auth) proves WHO the user is — email/password login, Google sign-in, etc. Authorization (RBAC) decides WHAT that authenticated user can do — admin can delete content, viewer can only read. This tutorial covers authorization.
Can I add more roles beyond admin, editor, and viewer?
Yes. Because the role field is a String, you can add any new role like moderator or manager. Update your Firestore Rules, Conditional Visibility conditions, and page guards to include the new role in the appropriate access checks.
How do I assign a role when a user first signs up?
In your signup Action Flow, after Create Account, add a Create Document action on the users collection that sets role to viewer (the default). Alternatively, use a Cloud Function triggered by auth.user().onCreate that automatically creates the user document with role: viewer.
Is Conditional Visibility enough to protect sensitive pages?
No. Conditional Visibility only hides elements in the UI. A user could call the Firestore API directly, bypassing FlutterFlow entirely. You must enforce access in Firestore Security Rules, which check the user's role on the server before allowing any read or write.
How do I prevent a non-admin from changing their own role to admin?
Add a Firestore Security Rule on the users collection: allow update only if request.resource.data.role == resource.data.role (role unchanged) OR the requester's own role is admin. This blocks users from modifying their own role field unless an admin does it.
Can RapidDev help implement complex role hierarchies with permission matrices?
Yes. For apps needing granular permissions (e.g., per-feature flags, team-based access, or role inheritance), RapidDev can architect a scalable permission system with Firestore, Cloud Functions, and custom claims that goes beyond basic role fields.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation