Firestore安全规则-如何防止对特定字段进行修改 [英] Firestore Security Rules - how to prevent modification of a certain field
问题描述
假设我们有一个名为todos
的Firestore集合,其中每个待办事项都将如下所示:
Let's assume we have a Firestore collection called todos
, where each todo will look something like this:
{
name: "Buy milk",
completed: false,
user: "eYtGDHdfgSERewfqwEFfweE" // some user's uid
}
现在,我想在更新期间user
字段进行修改(换句话说,将该字段设置为只读).
Now, I want to prevent modification of the user
field during updates (in other words - make this field read-only).
相信我,我已经完成了研究.我的update
规则如下:
Believe me, I've done my research. My update
rule looks like this:
allow update: if request.auth.uid == resource.data.user
//&& !request.writeFields.hasAny(["user"]);
//&& !(request.writeFields.hasAny(["user"]));
//&& !request.resource.data.keys().hasAny(["user"]);
//&& !('user' in request.resource.data);
//&& ('user' in request.resource.data) == false;
//&& !('user' in request.writeFields);
没有以上(注释掉)的工作.它们都导致错误:Error: Missing or insufficient permissions.
.
None of the above (commented out) work. They all result in an error: Error: Missing or insufficient permissions.
.
但是...
它变得更加有趣!因为如果我们比较上述某些关于阳性结果(又名true
)的规则,它们将起作用!
It gets even more interesting! Because if we compare some of the above rules for positive outcome (aka true
) they will work!
例如,这个效果很好(假设我们在请求中包含了user
字段):
For example, this one works perfectly (assuming we include user
field in our request):
allow update: if request.resource.data.keys().hasAny(["user"]) == true;
但此操作不起作用(假设我们在请求中不包含user
字段):
BUT this one doesn't work (assuming we do NOT include the user
field in the request):
allow update: if request.resource.data.keys().hasAny(["user"]) == false;
有人可以解释一下这是怎么回事吗?难道这实际上是Firestore中的错误?
Can anyone explain me what is going on here? Is it possible this is actually a bug in Firestore?
推荐答案
在"Cloud Firestore安全规则的编写条件"部分的数据验证"示例#2
At "Writing conditions for Cloud Firestore Security Rules" section "Data validation" example #2
service cloud.firestore {
match /databases/{database}/documents {
// Make sure all cities have a positive population and
// the name is not changed
match /cities/{city} {
allow update: if request.resource.data.population > 0
&& request.resource.data.name == resource.data.name;
}
}
}
那么request.resource.data.user == resource.data.user
应该适合您吗? CMIIW
So request.resource.data.user == resource.data.user
should work for you? CMIIW
引用: https://firebase.google.com/docs /firestore/security/rules-conditions#data_validation
这篇关于Firestore安全规则-如何防止对特定字段进行修改的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!