Firestore安全性-仅允许已知字段 [英] Firestore Security - allow only known fields

问题描述

我不知道如何在Firestore中正确设置".validate"规则. 基本上，我希望允许用户文档仅包含我知道的字段: :

I can’t figure out how to properly set the ‘.validate’ rule in Firestore. Basically, I want to allow a User document to contain only the fields I know:

user {
 name: "John"
 phone: "2342222"
 address: "5th Avenue"
}

除了上面的3个字段(姓名，电话，地址)之外，我不希望其他任何字段.

I dont want any other fields besides the 3 above (name, phone, address).

不会同时保存字段. 姓名和电话将首先保存，而地址仅在用户要编辑其个人资料时保存.

The fields WON’T be saved at the same time. name and phone will be saved first, and address will be saved only when user wants to edit his profile.

我尝试了以下规则，但似乎不起作用:

I've tried the rules below but don’t seem to work:

allow read: if request.auth.uid == uid;
allow write: if request.auth.uid == uid && 
 request.resource.data.keys() in ["name", "phone", "address"]

感谢您的帮助.

推荐答案

您可以将规则分开，以包含不同的create和update(以及delete)逻辑:

You can separate your rules to include different create and update (as well as delete) logic:

// allows for creation with name and phone fields
allow create: if request.resource.data.size() == 2
              && request.resource.data.hasAll(['name', 'phone'])
              && request.resource.data.name is string
              && request.resource.data.phone is string;
// allows a single update adding the address field
// OR (||) in additional constraints
allow update: if request.resource.data.size() == resource.data.size() + 1
              && !('address' in resource.data)
              && request.resource.data.address is string;

这篇关于Firestore安全性-仅允许已知字段的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！