发表新帖
发表新帖

Allow update on single field in firestore

后端 未结
关注
6 669
南方客
南方客 2020-12-01 19:03

I want to give a user the right to update a document. But ONLY if the user updates one specific field of this document. All other fields shouldn\'t be changed by this user.<

相关标签:
6条回答
  • 北恋
    2020-12-01 19:24

    Update: Instead of writeFields, you can now use Map.diff()

    Check out the writeFields variable for security rules:

    allow update: if ((request.writeFields.size() == 1) && ('open' in request.writeFields));
    0 讨论(0)
  • 遇见更好的自我
    2020-12-01 19:36

    You can use :

    allow update: if request.resource.data.diff(resource.data).affectedKeys().hasOnly(["fieldToBeUpdated"]);

    OR

    allow update: if request.resource.data.diff(resource.data).affectedKeys() == ["fieldToBeUpdated"].toSet;

    You can replace affectedKeys() with addedKeys() , removedKeys() or changedKeys() depending upon your use case.

    affectedKeys() as the name suggests is equivalent to using all the three together.

    For more details please read the docs here https://firebase.google.com/docs/reference/rules/rules.MapDiff

    0 讨论(0)
  • 春和景丽
    2020-12-01 19:39

    Map diffs in the Rules language were introduced to solve this:

    function isUpdateToOpenField() {
    return request.resource.data.diff(resource.data).affectedKeys().hasOnly(['open']);
}

allow update: if isUpdateToOpenField(request.resource.data);
    0 讨论(0)
  • 遥遥无期
    2020-12-01 19:41

    the same answer of "Scott Crossen" with little change, to be more genric

    function isUpdateToOpenField(attr) {
    return request.resource.data.diff(resource.data).affectedKeys().hasOnly([attr]);
}

allow update: if isUpdateToOpenField('open');

    0 讨论(0)
  • 孤街浪徒
    2020-12-01 19:45

    Since request.resource.data will show the future object after the write - the only way is to check every field using the following:

       function notUpdating(field) {
     return !(field in request.resource.data)
      || resource.data[field] == request.resource.data[field]
   }

   allow update: if notUpdating('title') && notUpdating('description')

    Make sure you validate that the user doesn't update all of the fields except the field you want him to have access to

    0 讨论(0)
  • 野趣味
    2020-12-01 19:47

    Since writeFields is deprecated and should not be used, you will have to examine request.resource.data. However, it always contains all of the fields of the written document (it's final state). This means that you will have to compare all of the fields of the written document to the fields of the original document in resource.data in order to make sure that only the ones that changed are the ones that you allow to be changed.

    Currently this requires an explicit check for every field that could possibly be written, which is not fun to implement. The Firebase team is looking into ways of making this sort of rule easier to express by allowing you to diff the data maps of the "before" and "after" documents.

    0 讨论(0)
 看不清?
提交回复
热议问题