Reputation: 1286
Firestore security rules, restricting child/field
What is the equivalent way of Firebase RTDB's newData.hasChildren(['name', 'age', 'gender']) in Firestore? How to restrict the child/field?
Update: I have updated my question with Firestore rules and explained my issue in detail.
match /{country} {
allow read: if true;
allow create: if isAdministrator()
&& incomingData().countryCode is string
&& incomingData().dialCode is string;
allow update: if (isAdministrator() || isAdminEditor())
&& incomingData().countryCode is string
&& incomingData().dialCode is string;
allow delete: if isAdministrator();
}create, read and delete is working as expected. But if I try to update using Hashmap with any unmentioned child, it will update without throwing any exception unlike Firebase Database rules, where we mention all the possible childs in newData.hasChildren([]).
Upvotes: 0
Views: 628
Answers (1)
Reputation: 317352
What you're doing right now is just checking if two provided field values are strings. You're not requiring that only those to fields exist in the update data. What you can do is use the keys() method of the data map to verify that only certain fields exist in the update. For example, this may work:
request.resource.data.keys().hasOnly(['countryCode', 'dialCode'])
There are a number of other methods available on List objects to help you determine its contents.
Upvotes: 4
Related Questions
- Firestore security rules | enforcing field VALUES
- Firebase security rules to an specific field
- Firestore per-field security rule
- Rules on specific fields on Firebase
- Only allow certain fields (Firestore Rules)
- Firebase rule to allow write only for children
- Firestore rules - securing data by field
- Firebase Firestore Security Rules: Allow subset of fields
- Firestore security rules, nested field
- Firestore: restricting child/field access with security rules