Firestore 安全 - 仅允许已知字段 [英] Firestore Security - allow only known fields

问题描述

我不知道如何在 Firestore 中正确设置.validate"规则.基本上，我想允许用户文档仅包含我知道的字段:

I can’t figure out how to properly set the ‘.validate’ rule in Firestore. Basically, I want to allow a User document to contain only the fields I know:

user {
 name: "John"
 phone: "2342222"
 address: "5th Avenue"
}

除了上述 3 个字段(姓名、电话、地址)之外，我不想要任何其他字段.

I dont want any other fields besides the 3 above (name, phone, address).

不会同时保存这些字段.姓名和电话将首先保存，地址仅在用户想要编辑其个人资料时保存.

The fields WON’T be saved at the same time. name and phone will be saved first, and address will be saved only when user wants to edit his profile.

我已经尝试了以下规则，但似乎不起作用:

I've tried the rules below but don’t seem to work:

allow read: if request.auth.uid == uid;
allow write: if request.auth.uid == uid && 
 request.resource.data.keys() in ["name", "phone", "address"]

感谢您的帮助.

推荐答案

您可以将您的规则分开以包含不同的 create 和 update(以及 delete) 逻辑:

You can separate your rules to include different create and update (as well as delete) logic:

// allows for creation with name and phone fields
allow create: if request.resource.data.size() == 2
              && request.resource.data.hasAll(['name', 'phone'])
              && request.resource.data.name is string
              && request.resource.data.phone is string;
// allows a single update adding the address field
// OR (||) in additional constraints
allow update: if request.resource.data.size() == resource.data.size() + 1
              && !('address' in resource.data)
              && request.resource.data.address is string;

这篇关于Firestore 安全 - 仅允许已知字段的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！