16

I can’t figure out how to properly set the ‘.validate’ rule in Firestore. Basically, I want to allow a User document to contain only the fields I know:

user {
 name: "John"
 phone: "2342222"
 address: "5th Avenue"
}

I dont want any other fields besides the 3 above (name, phone, address).

The fields WON’T be saved at the same time. name and phone will be saved first, and address will be saved only when user wants to edit his profile.

I've tried the rules below but don’t seem to work:

allow read: if request.auth.uid == uid;
allow write: if request.auth.uid == uid && 
 request.resource.data.keys() in ["name", "phone", "address"]

Thanks for help.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Fabio Berger
  • 163
  • 1
  • 4

3 Answers3

18

You can separate your rules to include different create and update (as well as delete) logic:

// allows for creation with name and phone fields
allow create: if request.resource.data.size() == 2
              && request.resource.data.hasAll(['name', 'phone'])
              && request.resource.data.name is string
              && request.resource.data.phone is string;
// allows a single update adding the address field
// OR (||) in additional constraints
allow update: if request.resource.data.size() == resource.data.size() + 1
              && !('address' in resource.data)
              && request.resource.data.address is string;
Mike McDonald
  • 15,609
  • 2
  • 46
  • 49
  • Cool! Although this is not as simple as my previous Realtime Database rule, it's the only one that was able to accomplish the idea. Thanks – Fabio Berger Oct 06 '17 at 15:03
  • As stated above, your RTDB rules *cant* accomplish this behavior. – Mike McDonald Oct 06 '17 at 15:05
  • how to set security rule on delete field value? – Vishu Oct 18 '17 at 13:17
  • @Vishu you can use `allow delete` – Mike McDonald Oct 18 '17 at 16:27
  • Delete helps in delete entire document with all fields. I just want to delete a particular field in a document and for that i used this code updates.put("capital", FieldValue.delete()); But how to set a security rule for this? – Vishu Oct 18 '17 at 18:22
  • This is technically an `update` as you are removing a particular field. You would write a condition: `request.resource.data.size() == resource.data.size() - 1 && !('field' in request.resource.data)` to ensure that only that one property is being deleted (as we hydrate the other document properties on `update`). – Mike McDonald Oct 18 '17 at 21:07
  • This won't really work, since the question is about updating the the address field. Thus if the address is already within the document then this rule fails not allowing the user to update their address. And even if you add OR `address' in resource.data` it opens up the adding, updating any field as long as the address field is already on the document. – Gerardlamo May 06 '19 at 21:23
  • doesn't work on multiple fields i.e. lets say you have more than 2 fields that can be added then this can't be sufficient – Harkal Jun 02 '19 at 02:53
  • I'd check out https://github.com/FirebaseExtended/protobuf-rules-gen which will generate all the permutations of required and optional fields for a given object. – Mike McDonald Jun 18 '19 at 23:21
  • Heya Mike, thanks for answer. I believe resource.data doesn't have a `hasAll()` function mentioned in the [docs](https://firebase.google.com/docs/reference/rules/rules.Map) – frunkad May 15 '20 at 23:20
12

You're looking for both the size() and hasOnly() methods.

allow write: if request.resource.data.size() == 3 
             && request.resource.data.keys().hasOnly(['name', 'phone', 'address'])

Using size() allows you to ensure an exact number of fields. Combining that with hasOnly() allows to you lock it to those specific fields.

You can read more in the Cloud Firestore Rules reference docs.

Dan McGrath
  • 41,220
  • 11
  • 99
  • 130
  • 2
    Hey Dan, thanks for the reply. That didn't work because those fields will NOT be saved at the same time. name and phone will be saved first, and address will be saved later on. So, when I try to save just the 'address', the rule will fail. – Fabio Berger Oct 06 '17 at 14:35
  • I am basically trying to accomplish this same rule as I had in Realtime Database: "name": { ".validate": true }, "phone": { ".validate": true }, "address": { ".validate": true }, "$other": { ".validate": false } – Fabio Berger Oct 06 '17 at 14:35
  • I don't believe these Rules do what you expect them to do. The RT DB doesn't differentiate creates from updates from deletes (they're all sets), so while you're enforcing that you can only write several properties, you're saying nothing about the order in which those properties are updated. – Mike McDonald Oct 06 '17 at 15:04
  • 1
    currently, you need to act on keys instead of data. The correct condition is now ´request.resource.data.keys().size() == 3 && request.resource.data.key()s.hasAll(['name', 'phone', 'address'])´ – MiguelSlv Mar 03 '18 at 12:30
  • Hi Dan, Just want to let you know that these set of rules won't work and are actually still wide open to abuse. The reasoning is that on create all three and only 3 fields being (name, phone, address) have to be specified, but on update I could give any 3 fields ie. (age, password, role) and this rule will pass since the document already contains the 3 fields it is checking. To fix this simply use hasOnly instead of hasAll, but then you are limiting what other fields you can store on the document and not what the user is allows to send. – Gerardlamo May 06 '19 at 21:20
6

To add on to Mike McDonald's answer, to check for particular keys, the form is now:

request.resource.data.keys().hasAll

instead of

request.resource.data.hasAll

Full example:

// allows for creation with name and phone fields
allow create: if request.resource.data.size() == 2
              && request.resource.data.keys().hasAll(['name', 'phone'])
              && request.resource.data.name is string
              && request.resource.data.phone is string;
// allows a single update adding the address field
// OR (||) in additional constraints
allow update: if request.resource.data.size() == resource.data.size() + 1
              && !('address' in resource.data)
              && request.resource.data.address is string;

More information here: https://firebase.google.com/docs/reference/rules/rules.Map

Mufasa
  • 61
  • 1
  • 3