Reputation: 1491
Comparing resource and request resource in firestore
I have a simple firestore rule:
allow update: if request.resource.data.reservedBy == resource.data.reservedBy;
my payload in the simulator is
{"name":"/databases/(default)/documents/books/I3dbzzwGJGXnqMQBOxoP","data":{"reservedBy":"Ivanko"}}
and the method is "update". The value of the field 'reservedBy' is completely different in the actual record.
No matter what I do, no matter what i change the payload to, the rule will always return true and allow the update. Is that a bug or am i missing something. Interestingly, if I change "update" to "create", the rule works as expected. Anyone else encountered this?
Thanks.
Upvotes: 4
Views: 2005
Answers (2)
Reputation: 103
I have been dealing with a similar issue and I found this to be the culprit...excerpt from (https://firebase.google.com/docs/firestore/security/rules-conditions). --For update operations that only modify a subset of the document fields, the request.resource variable will contain the "pending" document state "after" the operation.
Upvotes: 2
Reputation: 1491
Just got an answer from the Firebase team saying that it is indeed a simulator bug, and that the rule should work in production.
Upvotes: 1
Related Questions
- How do I achieve this security logic in Firebase FireStore?
- Firestore security rules: evaluating incoming requests against other documents in the database
- Firestore Security: Deny Update / Write If Field In Request Resource (Works in simulator, not IRL)
- Read Firebase Firestore document if it document's property matches a request property
- Limit access to firestore based on query conditions
- Rules Firestore, get resource from parent?
- request.resource object in the context of read request to firestore with the security rule
- Using resource.data in Firestore rules
- Firebase Firestore access rules - Comparing resource data
- Firestore security rules based on request query value