Lucas Goldner
Reputation: 730
How to set firebase security rules in order to allow only update of certain fields in document?
I would like to know how I can achieve that my user that has the following fields: uid, friends, notifications, name, username. Currently my security rules look like this for the user folder
function signedIn() {
return request.auth.uid != null;
}
match /users/{user} {
allow read, update, write: if signedIn();
}
So how can I make a rule for update: "condition", so that only friends and notifications are updateable, but not username, uid or name. Any ideas ?
Upvotes: 0
Views: 55
Answers (1)
Frank van Puffelen
Reputation: 599946
You're looking for map diffs.
For example:
request.resource.data.diff(resource.data).affectedKeys()
.difference("username", "uid", "name"].toSet()).size() === 0;
Or shorter:
!request.resource.data.diff(resource.data).affectedKeys()
.hasAny("username", "uid", "name"];
Also see:
- The documentation on map diff operations
- The documentation o controlling field access.
Upvotes: 1
Related Questions
- Firebase security rules: allow update only one field
- Firestore Security Rules - Update one specific field without providing data for the other fields
- security rules to allow update of specific fields
- Firestore Security Rules - how to prevent modification of a certain field
- Firestore Rules allow only the owner of document to update it and others to update certain fields
- Firestore rules - Allow only update certain field of a document
- Firestore Rules, allow update only certain fields
- How disallow the updating of certain fields using firestore rules?
- firestore security for the update of specific field within document
- Firebase Rules - Allow .update() Only on Certain Fields