安全规则，允许更新特定字段 [英] security rules to allow update of specific fields

问题描述

我是安全规则的新手.我必须编写安全规则，以防止用户更新除一个字段以外的文档.

I am new to security rules. I have to write security rule to prevent a user to update a document except one field.

让我说我有文档

{ field1:一个， field2:两个， field3:三个， . . . 场数:n }

{ field1 : one, field2 : two, field3 : three, . . . fieldn : n }

登录的用户应该只能更新field2. 使用Firestore安全规则.

the user logged in should be able to update only field2. using firestore security rules.

推荐答案

安全规则中没有明确的方法可以验证正在发生的更新.但是，您可以进行的操作是在写操作之前在 和 之后验证文档中的数据.通过比较这两个字段，并知道文档可以包含哪些字段，可以确保仅可以更新特定字段.

There is no explicit way in security rules to validate the update that is happening. But what you can do is validate the data in the document before and after the write operation. By comparing those two, and by knowing what fields the document can contain, you can ensure that only specific fields can be updated.

我经常在我的安全规则中使用此辅助功能:

I often use this little helper function in my security rules:

function isUnmodified(key) {
  return request.resource.data[key] == resource.data[key]
}

顾名思义，它可以确保在此写请求中未修改某个键/字段.例如，此规则仅允许用户更新其个人资料文档，只要他们不修改name字段(除非他们是管理员)即可

As its name implies, it ensures that a certain key/field is not modified in this write request. For example, this rule then only allows a user to update their profile document, as long as they don't modify the name field (unless they're an admin):

allow update: if isAdmin(request) || 
  (request.auth.uid == uid && isUnmodified(request, resource, 'name'));

我还具有此帮助程序功能，该功能检查是否存在特定字段:

I also have this helper function, which checks whether a specific field exists:

function isNotExisting(key) {
  return !(key in request.resource.data) && (!exists(resource) || !(key in resource.data));
}

这很重要，因为有时您希望只允许将字段写入一次，或者仅允许对其进行更新(如果已存在).有时，我为此使用isNotExisting，但是如今，我发现自己在汇总write规则上使用了更精细的动作(create，update).

This is important, because sometimes you want to allow a field to be only written once, or only allow it to be updated if it already exists. Sometimes I use isNotExisting for that, but I find myself more these days using the more granular actions (create, update) over the aggregate write rule.

最后，您可以要求某些字段，如创建规则中所述:

Finally, you can require certain fields, as in this creation rule:

  allow create: if request.auth.uid == uid &&
    request.resource.data.keys().hasOnly(['lastIndex', 'lastUpdated']) &&
    request.resource.data.keys().hasAll(['lastIndex', 'lastUpdated']) 

因此，只有指定lastIndex和lastUpdated字段的用户才能创建配置文件.如果他们指定任何其他字段，或指定的字段更少，则创建将被拒绝.

So a user can only create a profile document if they specify lastIndex and lastUpdated fields. If they specify any additional fields, or specify fewer fields, the creation will be rejected.

现在，有了这些知识，我们可以回到您的要求，并了解如何实现它.如前所述，您将需要在每个字段上声明，而不必在其中使用通配符.因此，如果您的文档具有三个必须全部存在的字段(field1，field2和field3)，并且用户只能更新field2，则该字段类似于:

Now with this knowledge, we can go back to your requirement, and see how to implement it. As said before, you will need to make a statement on each individual field, without having a wildcard in there. So if your document has three fields (field1, field2, and field3), which must all exist, and the user can only update field2, that'd be something like:

allow update: if request.resource.data.keys().hasAll(['field1', 'field2', 'field2']) &&
  isUnmodified('field1')) && isUnmodified('field3'));

这篇关于安全规则，允许更新特定字段的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！