Firestore安全规则-如何防止对特定字段进行修改 [英] Firestore Security Rules - how to prevent modification of a certain field

问题描述

假设我们有一个名为todos的Firestore集合，其中每个待办事项都将如下所示:

Let's assume we have a Firestore collection called todos, where each todo will look something like this:

{
    name: "Buy milk",
    completed: false,
    user: "eYtGDHdfgSERewfqwEFfweE" // some user's uid
}

现在，我想在更新期间user字段进行修改(换句话说，将该字段设置为只读).

Now, I want to prevent modification of the user field during updates (in other words - make this field read-only).

相信我，我已经完成了研究.我的update规则如下:

Believe me, I've done my research. My update rule looks like this:

allow update: if request.auth.uid == resource.data.user
              //&& !request.writeFields.hasAny(["user"]);
              //&& !(request.writeFields.hasAny(["user"]));
              //&& !request.resource.data.keys().hasAny(["user"]);
              //&& !('user' in request.resource.data);
              //&& ('user' in request.resource.data) == false;
              //&& !('user' in request.writeFields);

没有以上(注释掉)的工作.它们都导致错误:Error: Missing or insufficient permissions..

None of the above (commented out) work. They all result in an error: Error: Missing or insufficient permissions..

但是...

它变得更加有趣！因为如果我们比较上述某些关于阳性结果(又名true)的规则，它们将起作用！

It gets even more interesting! Because if we compare some of the above rules for positive outcome (aka true) they will work!

例如，这个效果很好(假设我们在请求中包含了user字段):

For example, this one works perfectly (assuming we include user field in our request):

allow update: if request.resource.data.keys().hasAny(["user"]) == true;

但此操作不起作用(假设我们在请求中不包含user字段):

BUT this one doesn't work (assuming we do NOT include the user field in the request):

allow update: if request.resource.data.keys().hasAny(["user"]) == false;

有人可以解释一下这是怎么回事吗?难道这实际上是Firestore中的错误?

Can anyone explain me what is going on here? Is it possible this is actually a bug in Firestore?

推荐答案

在"Cloud Firestore安全规则的编写条件"部分的数据验证"示例#2

At "Writing conditions for Cloud Firestore Security Rules" section "Data validation" example #2

service cloud.firestore {
  match /databases/{database}/documents {
    // Make sure all cities have a positive population and
    // the name is not changed
    match /cities/{city} {
      allow update: if request.resource.data.population > 0
                    && request.resource.data.name == resource.data.name;
    }
  }
}

那么request.resource.data.user == resource.data.user应该适合您吗? CMIIW

So request.resource.data.user == resource.data.user should work for you? CMIIW

引用: https://firebase.google.com/docs /firestore/security/rules-conditions#data_validation

这篇关于Firestore安全规则-如何防止对特定字段进行修改的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！