Firestore security rules: what happens with request.resource.data. <Prop> when updating?

Question

Firestore security rules: what happens with request.resource.data. <Prop> when updating?

My team has been discussing this recently and cannot pinpoint actual / perceived behavior:

If you have a security rule, for example the following:

match /categories/{document=**} {
    allow update: if request.auth.uid != null
    && request.resource.data.firstName is string
    && request.resource.data.lastName is string;
}

And you create an update statement from the / category / user interface with the following data:

{
   firstName: 'A valid firstName'
}

Is the security rule expected to pass or not be implemented?

The help documentation says that

The data provided by the developer is displayed in the request.resource.data file, which is a map containing fields and values. Fields not specified in the request that exists in the resource are added to request.resource.data p>

Related questions:

, / node?
, - , {age: 28}
?

3 ( ) , :

interface Category {
  firstName: string;
  lastName: string;
  age?: int;
  groupId?: string;
}

, :

match /categories/{document=**} {
    allow update: if request.auth.uid != null
    && request.resource.data.firstName is string
    && request.resource.data.lastName is string;
    && request.resource.data.age is int;
    && request.resource.data.groupId is string;
}

, :

. , (, 1), . , 2, .

, - , , firestore?

, :

match /categories/{document=**} {
   allow update: if request.auth.uid != null
   && request.resource.data.firstName is string
   && request.resource.data.lastName is string;
   && request.resource.data.age is int; // ignore if NOT provided
   && request.resource.data.groupId is string; // ignore if NOT provided
}

+4

firebase google-cloud-firestore firebase-security-rules

DauleDK 26 . '18 19:03

1

Rosário Pereira Fernandes · Answer 1 · 2018-02-26T22:27:06+0000

, ?

, lastName, string. ( , , request.auth.uid != null true)

:

, node.
firstName lastName, age . , , 2 . , .
( XY, ). , , . , , 100% .

3 , , . groupId .

, , request.resource.data.firstName , , : resource.data.firstName != request.resource.data.firstName. , :

match /categories/{document=**} {
   allow update: if request.auth.uid != null
   && (request.resource.data.firstName is string && resource.data.firstName != request.resource.data.firstName)
   && (request.resource.data.lastName is string && resource.data.firstName != request.resource.data.firstName)
   && request.resource.data.age is int
   && request.resource.data.groupId is string
}

:

{
   firstName: 'A valid firstName'
}

3 :

{
   firstName: 'A valid firstName',
   lastName: 'A valid lastName'
}

{
   firstName: 'A valid firstName',
   lastName: 'A valid lastName',
   age: 20
}

{
   firstName: 'A valid firstName',
   lastName: 'A valid lastName',
   age: 20,
   groupId: 'groupId'
}

2: age groupId , OR hasAll(), , :

match /categories/{document=**} {
   allow update: if request.auth.uid != null
   && (request.resource.data.firstName is string && resource.data.firstName != request.resource.data.firstName)
   && (request.resource.data.lastName is string && resource.data.firstName != request.resource.data.firstName)
   || (request.resource.data.keys().hasAll(['age']) && request.resource.data.age is int)
   || (request.resource.data.keys().hasAll(['groupId']) && request.resource.data.groupId is string)
}

Firestore security rules: what happens with request.resource.data. <Prop> when updating?

More articles: