Firestore Security - allow only known fields
I can’t figure out how to properly set the ‘.validate’ rule in Firestore. Basically, I want to allow a User document to contain only the fields I know:
-
You're looking for both the
size()andhasOnly()methods.allow write: if request.resource.data.size() == 3 && request.resource.data.keys().hasOnly(['name', 'phone', 'address'])Using
size()allows you to ensure an exact number of fields. Combining that withhasOnly()allows to you lock it to those specific fields.You can read more in the Cloud Firestore Rules reference docs.
讨论(0) -
To add on to Mike McDonald's answer, to check for particular keys, the form is now:
request.resource.data.keys().hasAllinstead of
request.resource.data.hasAllFull example:
// allows for creation with name and phone fields allow create: if request.resource.data.size() == 2 && request.resource.data.keys().hasAll(['name', 'phone']) && request.resource.data.name is string && request.resource.data.phone is string; // allows a single update adding the address field // OR (||) in additional constraints allow update: if request.resource.data.size() == resource.data.size() + 1 && !('address' in resource.data) && request.resource.data.address is string;More information here: https://firebase.google.com/docs/reference/rules/rules.Map
讨论(0) -
You can separate your rules to include different
createandupdate(as well asdelete) logic:// allows for creation with name and phone fields allow create: if request.resource.data.size() == 2 && request.resource.data.hasAll(['name', 'phone']) && request.resource.data.name is string && request.resource.data.phone is string; // allows a single update adding the address field // OR (||) in additional constraints allow update: if request.resource.data.size() == resource.data.size() + 1 && !('address' in resource.data) && request.resource.data.address is string;讨论(0)
加载中...
- 热议问题