k0ff33
Reputation: 311
Cloud Firestore security rules - single protected field in a document
I'd like to have a read-only property called suspendedProfile in a user document with all the other properties with read/write access for currently logged in user. Is there a way to do it with a simple security rule?
I thought about 2 solutions:
- disallow writes that modify the property like
allow write: if request.resource.data.suspendedProfile == null; - a
/securecollection withallow read;inside theuserdocument
I think the first option is better all the user-related properties are in a single docment, but I'd love to hear your thoughts. Is there any other simpler way to achieve this?
Upvotes: 6
Views: 2039
Answers (1)
k0ff33
Reputation: 311
I think I managed to find a solution for my own answer using Firebase documentation.
// A user can update a product reviews, but they can't change
// the headline.
// Also, they should only be able up update their own product review,
// and they still have to list themselves as an author
allow update: if request.resource.data.headline == resource.data.headline
&& resource.data.authorID == request.auth.userID
&& request.resource.data.authorID == request.auth.userID;
So in my case, I will just allow update: if request.resource.data.suspendedProfile == resource.data.suspendedProfile
Upvotes: 10
Related Questions
- Firestore security rules | enforcing field VALUES
- Firestore Security Rules - how to prevent modification of a certain field
- Firestore rules - Allow only update certain field of a document
- Firestore per-field security rule
- Firestore rules for document field
- Firestore security rules for specific document
- Firestore security rule to prevent writing arbitrary fields in documents
- Firestore rules - securing data by field
- Firestore security rules in to prevent sensitive field
- Firestore security rules, nested field