Google firebase's firestore rules block key creation/edits

Question

I have the following firestore rule to allow user access to only their record. It works fine...

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, update, delete: if request.auth.uid == userId;
      allow create: if request.auth.uid != null;
    }    
  }
}

Now under the users collection, each document contains a field/key name "isAuthenticated" which is set to true from the server side backend using service account persmission.

How can I setup the rules to make sure even the authenticated user cannot update that particular key?

why track `isAuthenticated` in your database for each user? – Ronnie Royston Jun 18 '18 at 15:01 — Ronnie Royston, Jun 18 '18 at 15:01

Frank van Puffelen · Accepted Answer · 2018-06-18T14:18:59.263

2

To disallow all regular users from creating documents:

allow create: if false;

But note that someone accessing the database with the Admin SDK will still be able to create documents, since they access it with administrative privileges.

**Update*: to prevent the user from updating any fields:

allow update: if false;

To disallow updating a specific field:

allow update: if !("isAuthenticated" in request.writeFields);

See:

edited Jun 18 '18 at 14:18

answered Jun 17 '18 at 13:45

Frank van Puffelen

565,676
79
828
807

1

Yea but that's the entire document, what about a specific key within a document? – LAX_DEV Jun 18 '18 at 07:05
Thank you. You are a lifesaver. request.writeFields does it. – LAX_DEV Jun 18 '18 at 16:50

Google firebase's firestore rules block key creation/edits

1 Answers1